berbew | f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe
Size

92KB
MD5

46e655474a774d508615f4ef27d414d9
SHA1

c212a3ee77481ce059032d5fa35fe160ab9f05e7
SHA256

f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e
SHA512

0f0c0515e34f4263c2dd53c2c92b7f329f1dd53262bb407304730af8dde15f5f857a7651b0849d05298ebdf09fc03757c7c99f03670f2c23fdc925aeccd89358
SSDEEP

1536:TMAXBDOvFLnaxfskFGhwcOiPsWRanzqyPD85sKpN2KN3imnunGP+i:dXBDOvFTaxkkYXenzpypYKVbe4+i

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2796	Ligqhc32.exe
540	Lpqiemge.exe
1744	Ldleel32.exe
1272	Lfkaag32.exe
4072	Llgjjnlj.exe
3188	Ldoaklml.exe
3260	Lepncd32.exe
2112	Lljfpnjg.exe
3784	Lbdolh32.exe
4756	Lingibiq.exe
1496	Lllcen32.exe
2232	Lphoelqn.exe
1384	Mbfkbhpa.exe
2148	Medgncoe.exe
5088	Mmlpoqpg.exe
3484	Mplhql32.exe
3140	Meiaib32.exe
4296	Mmpijp32.exe
4360	Mdjagjco.exe
532	Melnob32.exe
4608	Mlefklpj.exe
512	Mcpnhfhf.exe
1356	Miifeq32.exe
1300	Mlhbal32.exe
3012	Ncbknfed.exe
2604	Nepgjaeg.exe
1968	Nngokoej.exe
3448	Ndaggimg.exe
3084	Nebdoa32.exe
5084	Nnjlpo32.exe
4236	Nphhmj32.exe
3132	Neeqea32.exe
2332	Njqmepik.exe
2144	Npjebj32.exe
1048	Ncianepl.exe
4436	Nnneknob.exe
4392	Ndhmhh32.exe
2444	Nfjjppmm.exe
4976	Oponmilc.exe
436	Ocnjidkf.exe
5108	Ogifjcdp.exe
3036	Ojgbfocc.exe
2772	Olfobjbg.exe
1600	Odmgcgbi.exe
3688	Ogkcpbam.exe
4776	Oneklm32.exe
1976	Olhlhjpd.exe
3496	Ocbddc32.exe
3176	Ofqpqo32.exe
1568	Onhhamgg.exe
4232	Oqfdnhfk.exe
2624	Odapnf32.exe
1916	Ofcmfodb.exe
2620	Onjegled.exe
3264	Oddmdf32.exe
748	Ocgmpccl.exe
64	Pnlaml32.exe
3404	Pqknig32.exe
1392	Pcijeb32.exe
2964	Pfhfan32.exe
2956	Pggbkagp.exe
440	Pnakhkol.exe
3008	Pmdkch32.exe
3252	Pcncpbmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5500	5280	WerFault.exe	231

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2796	3852	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe	82
PID 3852 wrote to memory of 2796	3852	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe	82
PID 3852 wrote to memory of 2796	3852	f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe	82
PID 2796 wrote to memory of 540	2796	Ligqhc32.exe	83
PID 2796 wrote to memory of 540	2796	Ligqhc32.exe	83
PID 2796 wrote to memory of 540	2796	Ligqhc32.exe	83
PID 540 wrote to memory of 1744	540	Lpqiemge.exe	84
PID 540 wrote to memory of 1744	540	Lpqiemge.exe	84
PID 540 wrote to memory of 1744	540	Lpqiemge.exe	84
PID 1744 wrote to memory of 1272	1744	Ldleel32.exe	85
PID 1744 wrote to memory of 1272	1744	Ldleel32.exe	85
PID 1744 wrote to memory of 1272	1744	Ldleel32.exe	85
PID 1272 wrote to memory of 4072	1272	Lfkaag32.exe	86
PID 1272 wrote to memory of 4072	1272	Lfkaag32.exe	86
PID 1272 wrote to memory of 4072	1272	Lfkaag32.exe	86
PID 4072 wrote to memory of 3188	4072	Llgjjnlj.exe	87
PID 4072 wrote to memory of 3188	4072	Llgjjnlj.exe	87
PID 4072 wrote to memory of 3188	4072	Llgjjnlj.exe	87
PID 3188 wrote to memory of 3260	3188	Ldoaklml.exe	88
PID 3188 wrote to memory of 3260	3188	Ldoaklml.exe	88
PID 3188 wrote to memory of 3260	3188	Ldoaklml.exe	88
PID 3260 wrote to memory of 2112	3260	Lepncd32.exe	89
PID 3260 wrote to memory of 2112	3260	Lepncd32.exe	89
PID 3260 wrote to memory of 2112	3260	Lepncd32.exe	89
PID 2112 wrote to memory of 3784	2112	Lljfpnjg.exe	90
PID 2112 wrote to memory of 3784	2112	Lljfpnjg.exe	90
PID 2112 wrote to memory of 3784	2112	Lljfpnjg.exe	90
PID 3784 wrote to memory of 4756	3784	Lbdolh32.exe	91
PID 3784 wrote to memory of 4756	3784	Lbdolh32.exe	91
PID 3784 wrote to memory of 4756	3784	Lbdolh32.exe	91
PID 4756 wrote to memory of 1496	4756	Lingibiq.exe	92
PID 4756 wrote to memory of 1496	4756	Lingibiq.exe	92
PID 4756 wrote to memory of 1496	4756	Lingibiq.exe	92
PID 1496 wrote to memory of 2232	1496	Lllcen32.exe	93
PID 1496 wrote to memory of 2232	1496	Lllcen32.exe	93
PID 1496 wrote to memory of 2232	1496	Lllcen32.exe	93
PID 2232 wrote to memory of 1384	2232	Lphoelqn.exe	94
PID 2232 wrote to memory of 1384	2232	Lphoelqn.exe	94
PID 2232 wrote to memory of 1384	2232	Lphoelqn.exe	94
PID 1384 wrote to memory of 2148	1384	Mbfkbhpa.exe	95
PID 1384 wrote to memory of 2148	1384	Mbfkbhpa.exe	95
PID 1384 wrote to memory of 2148	1384	Mbfkbhpa.exe	95
PID 2148 wrote to memory of 5088	2148	Medgncoe.exe	96
PID 2148 wrote to memory of 5088	2148	Medgncoe.exe	96
PID 2148 wrote to memory of 5088	2148	Medgncoe.exe	96
PID 5088 wrote to memory of 3484	5088	Mmlpoqpg.exe	97
PID 5088 wrote to memory of 3484	5088	Mmlpoqpg.exe	97
PID 5088 wrote to memory of 3484	5088	Mmlpoqpg.exe	97
PID 3484 wrote to memory of 3140	3484	Mplhql32.exe	98
PID 3484 wrote to memory of 3140	3484	Mplhql32.exe	98
PID 3484 wrote to memory of 3140	3484	Mplhql32.exe	98
PID 3140 wrote to memory of 4296	3140	Meiaib32.exe	99
PID 3140 wrote to memory of 4296	3140	Meiaib32.exe	99
PID 3140 wrote to memory of 4296	3140	Meiaib32.exe	99
PID 4296 wrote to memory of 4360	4296	Mmpijp32.exe	100
PID 4296 wrote to memory of 4360	4296	Mmpijp32.exe	100
PID 4296 wrote to memory of 4360	4296	Mmpijp32.exe	100
PID 4360 wrote to memory of 532	4360	Mdjagjco.exe	101
PID 4360 wrote to memory of 532	4360	Mdjagjco.exe	101
PID 4360 wrote to memory of 532	4360	Mdjagjco.exe	101
PID 532 wrote to memory of 4608	532	Melnob32.exe	102
PID 532 wrote to memory of 4608	532	Melnob32.exe	102
PID 532 wrote to memory of 4608	532	Melnob32.exe	102
PID 4608 wrote to memory of 512	4608	Mlefklpj.exe	103

C:\Users\Admin\AppData\Local\Temp\f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe
"C:\Users\Admin\AppData\Local\Temp\f79ead99660cb718dd4330d481927c26e317c04f904e1241a1b60031cfe3a97e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Ligqhc32.exe
  C:\Windows\system32\Ligqhc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\Ldleel32.exe
      C:\Windows\system32\Ldleel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        25⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        32⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        33⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        48⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        55⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        63⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        66⤵
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        67⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4832
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        80⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        81⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        91⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        92⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        93⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1616
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        102⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        104⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        106⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        109⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        114⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        118⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        119⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        120⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        121⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        122⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        125⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        126⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        129⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        132⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        140⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        141⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        143⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        151⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 228
        152⤵
        Program crash
        
        PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5280 -ip 5280
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
92KB

MD5
4196efa43352c75a203e6a1a7b72ffb8

SHA1
e37e575c5b33b7d7c28aedf2c0d458f8f814abd2

SHA256
4e09e3e6e1c917effdaeccbfdaf28d7a62e7f19abf7d7667986f33dc51859fc9

SHA512
961d5a442e31d011a40cf81512a3de6505c6e1e03074f7f13d6ed32e691a0ecd46dc64c25029d61454c0739a5516aef02c9ecf8940b77f8db1786be42ade0a88

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
92KB

MD5
523bb5e289edb38615490523f825d982

SHA1
b35399227cd9a6ce751fb592b32d8a898fcbe8ca

SHA256
c68a8fe30421510a4e83a9c904e37f6a2e13dda6a6c01df24ce4e78de7c9a241

SHA512
89d5f9550a67885b179bdbbb6bd03457f55421e53fab4610376265d3bf56cf4a6c7c9e6776e375a71e09dd021ed8d3b64a32b9ab76dac6adae52bc89b50d324a

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
92KB

MD5
56e6c6b1215b6579d8929619c71a783e

SHA1
5d6bbb05c6667cae0d73b4959839f20233495309

SHA256
3c196ba2e79df0079c5ef04ed13217ffca22aa103760870eb2c2dc00d0c08417

SHA512
30f32c4953da0e5ce4cc2f881255090964aeb30251759dff1576169f4d896d87220be935a680ced61e09c58a7586cb924e4b5a0ea1055816bf80a7ccf8b06079

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
92KB

MD5
de1d0f44718561b9b2d6089396abeaec

SHA1
17ed2a97510ef99a781b1b970aa623e82a95d0f6

SHA256
81e6dcc817c70e760aaed42f83a9e31516204dd3f520827db77c61d53e96b8fb

SHA512
80a0b3d40633a83dc921654c879f53f3dc620f3d24b614e9dfd965e51e03706ff5ba5d8b04c9b6e14dab303852dbfd6b0bbf48c0e57daac4eebb52e1ef4f84d9

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
92KB

MD5
b177d0a46f5c5cc1b91b632796e1aa9c

SHA1
8361d1e49576b0241d1f0a5b725a1a8e4c09c40f

SHA256
29a2abdf5a0d5db3485ed0838588758484c1679cd354cacd65b96a3a8e32fbfa

SHA512
f984277bf339592f10fbc7699456025c6d1d9282b95314cf0a105d70251af44b89189f2e484613fd6f49587b5a048c6417575ce766e4e496d3a7831106a67ede

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
92KB

MD5
f58babbaf166b67b20fd3248c345504c

SHA1
8c57433e4e49f5fde205b2ae353790489e765090

SHA256
8ab386ae38243b255de7bb3d16a7e6c0a4edf490fbe911629ecf4e8dd8ab21c7

SHA512
47e89c801621e7ca206e4cf1b88117b57b86c75ef16ecc72598a6d72f99ac1310305b781018d8ac159b1fca4da53e9c6fab33941d7e2bcf0fd29b567787a6551

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
92KB

MD5
419a5206cbd972d3afb518c8824e9cc7

SHA1
58d365eeb7e90187405bc01dbe3c0463e4233ee1

SHA256
465a691566e8e89d51d3f841c14441d8d619107e0bbd5555b1cb2949e3f7b6e5

SHA512
04bc28a731b68bbef199a2b36b9ff5f8b0cad274e6474151e1625393f27394d4400a7fa348ee3df23cc9ef774d85fc9fc059ea4db9cfd4a9c891e4e0fede1429

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
92KB

MD5
a4ff01ac33eb52b0a17a8c03d3434c6e

SHA1
bbe23e446b918614e34d1bd9f8f2e07a40e9e439

SHA256
bfbb64fe2a34a8611ac4e5f02fc5dc0c8170bc23b2545a12d36aa3d44b77fb2c

SHA512
0a2040126388507a99ae5daece8e55b9004f33d53c4d6f79510125fc66f862fd3964da7080335aba417b04112200751d95106cb1bbcd9055b3d1e07a5d1e564c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
92KB

MD5
47bfd3e335ea2da948ce0c146c772372

SHA1
c4a409ee278794e2cc4e67bd984c121a93a1ca8e

SHA256
14a59cdb36860f0fa79e9ca4699c8de884807ee773e83491a1c65d1340e29e69

SHA512
09b25ecb19e3d795fcecf15dd753ad776127fd3fed5065f57cad849c16b088b8fe2027c2dba0e6709a4c7e49ed659ae5d40ecf46a474c38a8e8355c1f04b02c5

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
92KB

MD5
cfc08e910cbeae5762621d2e0542168f

SHA1
00402ca0b164cefb28df672a9cf1bfe572d384c8

SHA256
5eb4d455c750e639ca83d10ae76ca04524cee2a4fa1a4fa5283fcbd934113b7f

SHA512
8c03ece56a93701da4435daf6f29d93bd6ab96db9d559d4a8014f1917b0b1ce8e80e14a096397594baa255397635556cc34f8ce9819a52a3fb2be7f893bac712

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
92KB

MD5
7e8bd754844eeefbdcd80f2f1c42553c

SHA1
a62b7467d46ea5bab7539c7f4abc925a78a56f00

SHA256
6c8e126c91e2e01e399cb03f52cacd7503e8bf3b306e510b002432e655b1dfdf

SHA512
7e7f2b654b60f07f142a058fb48a992c295eea10cff63f355884f8b2215ae15ad8e257ea6797f3810330c817b6c9d8534febc47a9718504a3a14743badf33bff

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
92KB

MD5
50d1a24154cafef8e3730ab36c8811fd

SHA1
458ecb9062c015d431e45e4f91a68e9333fa087a

SHA256
801b6c08612d287526381e3c45fadc288921fabe1ca0571a34cbd5eec7e76ebb

SHA512
da9f475365c3de7c44694e2ee9af6a2c6cc4c4cf014df0caa1444a1ff78db35037253f31de856c638859bb9e851067ed4e3e770134a7dcd916a187ef89f18f5b

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
92KB

MD5
4202db72890c88bcc1f0877541d5e5c6

SHA1
0f48dc98faebda570f1df29d7ce07fdf78ea5f05

SHA256
a9dd952789193eb225ef7ad30aa581fe98db85cfcdc6168b20343741c85d2cf0

SHA512
21780c6fdee5da5f5dbde0cd08fa9e9356ddad70be190f4d3b1ac6fd04f441b20410c94819a40583bbfd99320aa00f7b7565a633bfd873be55aeec53c62659f7

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
92KB

MD5
9e2b728dc923f6eb7593471a4179efba

SHA1
af2483a0ba9d4f9e4a54ffb6a511c9bcbacb3b3d

SHA256
e3b323d2381bec3549857fbb7da277ebf9008a33df4bf9994f35a0b6ba9628e3

SHA512
4521c98123499b7787b2ee346b2372d254a0b8b883400813168b18624ee580ff55a94240e6fdf70f6a782692566f3e72d2d6bcd3f7eb0c882f09259f3e9a7ad9

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
92KB

MD5
966f696566ed258083c6e2276fb00ca9

SHA1
88577319b545d923ddee50b2a8d6d5597fea72b8

SHA256
356aff307a7549e66063aa61764874f453899746568d4627e38e6ac68101015b

SHA512
5d876d1295cb27309e07177caa0db33dd2ad82c56df6c7b873b43b02fe34669adb54fe40178f409d423e2a2631c449802a13d88c3da63b01d00e2d5ba076a1fc

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
92KB

MD5
2879f8e1ca964be2fac0e101cbf6b81f

SHA1
351cc7a9caf6ff1800e686c7a2cc9546bbd46d4a

SHA256
bd4e800d21fe1a35d16224f2a003e5b6776eb48270c9594d3397468bc3038a56

SHA512
8db88384349439116fc786900e1fa97769e067203a4e37ccd8ef4a41f725fadd35abc43189bfc7e81931fc866ce16e106f3f955ad1aab24b6789c86dfa499381

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
92KB

MD5
fb84ad1f7f449ba68d2e206018947df1

SHA1
b71cbc3b7400a7e6d2a2bbb42356bbba0afab847

SHA256
2fca49f90a02d75d7f347bed219819ad788e220a31692684f79e648e678c2b2c

SHA512
82eab575a5b02d9d1cfba1f8ba5ebe7fd27ca32924f1e9100e8bb41fd5febcc1e17686df621f2c85056828698945c812f7a2eb818e0ae08d462cb9fabe6b1289

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
92KB

MD5
6fd34a9cd6423538aa6f3b489c4ba2b8

SHA1
de7983f59592ac397ffa6820c4ea2d458e51eb01

SHA256
337558ef6c346c4ac06ab5c5e6b0c592f27dbdef1369e570499888b1734255b8

SHA512
cdf14edc59e293f12d500cf9786652665d4989eb0ba212a36416140cc5505022f9041141afacc438fe1c20919c9e24cf08f99c7eb49c69535b261c38e7b888eb

Download Submit
C:\Windows\SysWOW64\Kcdgbkil.dll

Filesize
7KB

MD5
982131e42b6bcc09e9c31b361764157b

SHA1
4ca673c8f22d384f7622bf63fbf8a76db19279ed

SHA256
38249f8e480aa17089744ca54739c900b5767fadec8d1d284073110dac511497

SHA512
0cc8611ae6e5a58f3c4a8edaa1613389a6cd9e054f89cb52155b8303c0cd760a3a8ebbb6c5284140c4d421f88f5d1f05f6925730647c356dacbbbd3417257774

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
92KB

MD5
5dff6018cff0c724ea4530b5fd565746

SHA1
730b6e44d3a54db0bff921b0ec01648a8d319ef5

SHA256
23f0332b7dffe3a54b17d907b97cc746b438b6cd8374a3caaa6b8c0d9f3ec45d

SHA512
7473fad70539b1b88d7544a268a425bd12a436fdb8aeaac3f34a731e45667133571282971af77e17ab610aec32a57fa4c0254ebf1dd1307e1ec559d48757ac21

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
92KB

MD5
fbaccd98576c0a2cece162fc1f365469

SHA1
d2479c9e700eba59df30441a0e0f20b54aaf5db3

SHA256
6890758c8f2fed5303ff0ffc1fa133995627d6bd94ee4e0b0752829629eb7507

SHA512
50682034c191209ffdfde7fc490008836144922194318473e59b6baa80fb60228cc0e2b48683fdd005dd13e7235fe78ea68c08ffec8d0abc5f5f7690071d3bc5

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
92KB

MD5
67397a9b4840a2d128f6af95aa0fb26e

SHA1
643d13d747634fbe0cc2355ce36a3d54da4ba2fd

SHA256
1d911ec69c25b6648225bbfb391bfe45af49cc2db0be20496ab94263bf2e2a2d

SHA512
de2ccab753fc81463bed20463116ec41d84d741622c58c93dcca2c24043612c8194b269890e187287c5b127e356ffab84d8b6afaa7f041781428a023d8a3d389

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
92KB

MD5
cbeff1a77d2264a2a93d43836045503f

SHA1
79cc24e69d8b5ecc703415e318071e78950d325f

SHA256
79ae3f5e6b08879e6aa0cb017ec0c64ba4e56e667e105575ee0648f856d45167

SHA512
221e27c06c1dae6aefd6575f75cd9a3f95cdb2f3917a92a4381a45a6facff7131a7ca0b3b6df27d43829b9e61c7d47445b6938d4bd7dca6f0436cbce18f2e127

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
92KB

MD5
5b50cbbe591345b3e870677434cf19ca

SHA1
c882f6b9e726615fa9c05d1d9898863b6ae539ab

SHA256
341534927a2968449ae665ef41424f8bc2b8142b142a460ef0aaa3c893702aed

SHA512
f0ac5eeccd115b8a6ea4b086970b7afa6e7ac16117f28f9d3757991f6aa0bfc4d1dbfc743dccdf2530b040d1f65d5ff9da3b556aadb8eae69921b38fea784a0d

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
92KB

MD5
1f3cf4e5dda275e4b62f60448eb058a4

SHA1
72e897a703c6529a278b7b1ae5d370ef7dc0d752

SHA256
0ccd97b6d80e42b83791e5dd35ae5201d21964c026663c9317f7c6ea46d1f68c

SHA512
122de94e50c15605f1a22f29aefa971577d061867334486c4e25b6a8adc90f888a0abd7d0182cdb6a845345edc4f6db158ba2ddebad709c17d37ed56d5f63868

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
92KB

MD5
9454f93f8413af2c138a7053c5ca16a4

SHA1
b687fe9d5e866154fc0570d4e2235c62478bd09c

SHA256
b59bbc239602d2a16a0e7a8e54e11c4313d1e04095903fdbc96d6c0f344ef7f6

SHA512
4cdf34db23f2f4ad8b9b2a8852dfb3e0aabf74572f99515ae0d7d79b914da01410380e834fb3302c1f0f0e8b1bd174fb736a984c9ec52cdae4ee34727291e8ef

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
92KB

MD5
8df4a587680a67e7627ef1d78b50d677

SHA1
607801bcfd7232a74deb93d1f37e6c3a1d310745

SHA256
fade7a24ddccf54a240da0b5f42661ef949784559f19daed57ade65279b23cb1

SHA512
320e87d3ac4aa3d0efe22712601eb5bab05cfd46bf834b05432f9034a180d8269e33ca8593b19883acdf9d24c8ce3775676e7323178efc7a8a8f37bdded9c5da

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
92KB

MD5
725d7d9dac58632f83c10bffdc510a3a

SHA1
326f79b1109c35dfd0b707dd16045449b8eca7f6

SHA256
92c23c27a3fdc9d67217809eb04653b91e344c4ceac189caed6481e57bf7e453

SHA512
cf49b4fc8a9da6661b276726275c8620719587805bdfa8b36d7388ea67929dfbf23807018e74a89fc38af0691d6f94c0fe356a7dc2e2e4d93b2c60261c92ac70

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
92KB

MD5
8a0ac47d8695de76e7dc8a6a7a09384b

SHA1
98511890b74869d48c78a9284eb5269fd83ddd90

SHA256
9365af66a3645919dc1620791cb91a0d80c2f2284c46e4d853958a1bc4b3f263

SHA512
7fd03376a504c1ba37d9deb3000696734a4a368cc7fa01b9bc80aff88948fee12c7d3ed7eff3ebee9564b147178202a92d8213d186727ca79562b067a882cd70

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
92KB

MD5
f4be70dcc5e382d1afe1ce834a953214

SHA1
c5ed61e81b6867e5d8d29c6010ff41711f07e2c9

SHA256
5cb982b1fa3264471d5c5ec4c44ec68a4efd08785467fd5ee05c97be9de1d987

SHA512
4de30225a5b69fe9a5671fe830140fb6b103e6c4da927d9f4d2820856bd05884ccdc05c63b1f131050372139cac915782c0c073a05ab9f45717664264d07a46c

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
92KB

MD5
2836e79bd6c60ee16a1bf3a8e42befff

SHA1
afca118a5f081945a53ebbc1cc936ca26a757e8e

SHA256
9efed431a31181ee260071a12270a1812b4d64fd73d61fea3d722556e18fba00

SHA512
74a5acece11d300387801329cd1298dfabbbf3711424e140d413b2c8f218107405c53113a37f428effc1b35b43ef35d17244a0577cc0f5f3b02b42a9adb7a169

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
92KB

MD5
314dfd0e755729991dd8edc098683a6a

SHA1
51f0dac06e5f161a8648fd141d5b1e610ffa6127

SHA256
0bf134eeab5f7220243fbae8abd34cc1e4270c7141079a8321350fa66cf53740

SHA512
2108fb39b7b0e574059fe777a80eeb52c2bbfd1f64433b27b203e62af1369c3e4fec416cb7b8c99ed5f206cbceba3a4cac3b7062f73e3d79ae3afb029ffd622b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
92KB

MD5
9ffa9a14960c617692730738416a48b6

SHA1
948b12679f40d4f24489ff3ef93f3e86feb1b8b1

SHA256
83f1bf0eff43a266649be3f10c8feac0700a339a4d199b1b41505c1d2d452e45

SHA512
da54f876054b54b0c03e5d7b9fce17840c999e7f033ef92682673bd153c80e8e96af27329ef485e92bcc33b3827c09fb1521b2fa9a0405957013a90c7ca30e36

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
92KB

MD5
ed2c376a9d06f387bff3bb173e5fba78

SHA1
a58650dcefdcfc014c87a82aff0981c6036bb713

SHA256
bcf92a8d28e3c4a5dd60bbe29867a18f831f1b820100ff762ab1fc5044e8141e

SHA512
9c1edba2a25756990237a7e1e56b01fe189811c909f318af0cc827dbf2fd1ad31bba7a0b1f0d8e4bef6154f4379a366ec090991b882ea357d6d7646cc8dbf7d2

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
92KB

MD5
a813806efcfb2ff4dddb9386e0e0e8dc

SHA1
e04535ce6db045741e6c34fa18fd3f01283757f0

SHA256
3c1a97ed8f4371b9ba2dcaf0e05b646f7f028eb502befb2a1880b7d3a56e5cbd

SHA512
f8fa1cf92bf04c41ae626d52c5ed557da0c256cdcc7efae3be725e42af4a41f801031a6a0ecb0df407c49889a96aeca84a57a3c821ba4fc217b2a55721c4484f

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
92KB

MD5
af284bdf2167298cbf213e4dcd04e66c

SHA1
fd380bc8a02aebdc0002b0c90d71adb44a5beca5

SHA256
8a6f350a33ac8d3dac864fa19958cdf2c4362a92696667b9b26d8d503b5e3508

SHA512
505b3096d014041f5df9020369e37591c6ce2b1c94998498b8c20102ceab394d1c3fff84ba68b6ff57c5f1fd8b46a310c58a78d6a18e661f5488b01f127abcb5

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
92KB

MD5
72d3d231fb6496edf04e926d24c4d337

SHA1
7a4031397884508853fead23bdcd80678714e72a

SHA256
6fbfc8dcafebb713b67852b2eec50bdd406c2cfd75036fe4955596f10b1d0e86

SHA512
aa9450f80533fcaf4769e76371ab3c3c3e61f13e5d44b3374b98c4218e2b4368948328f9e8b618696b31ed007d2ab3f50e414195f5342a6749140e154cd05c4e

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
92KB

MD5
f85febaa99a26e45662c7a34c9040e77

SHA1
d29259ad6e81342ad0ff148e299c9b937f3f5d62

SHA256
bd2eac419622c770ffdc165d89ef5c2956e70f21fad3cb2233d07bc5b32d3cd1

SHA512
6c22b74c97a1748545875b34a91337dabfffde7edc21f415c50b54574fb5b1a7c533e760a5f1ffcdf05038d52fb6472818e9430923432f43d71c1ecef58fa244

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
92KB

MD5
0a2cb29489387aa195d70ceff14cae41

SHA1
984da582929a359a95e05fa975fe9d2441d43b35

SHA256
bace01d58bd3a62b0b5ea323a9f40638e8eadb4eacf27bbd5922e16bb31ec71c

SHA512
6ebf433b5af3ed456533cef6a1c997f5747ce4992aa20bec77f561eded1e3f29e625f33e6d39e27de31bd5cab52a68ca044128e9b630c069c3ea95a55478a551

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
92KB

MD5
0070aff6577b7b4d84a3e65c0d53759f

SHA1
12e753e44095d1f3675a38a067443610d8a32cef

SHA256
12d089d2cc0aedbb48e8b331fda462c915cc1a8e36ffe8a72907a7e08b93a794

SHA512
fc466c463f596dd1e772507d1a6f3c3084508942066bf46c7fd17c614b60e3d7320fa10018159f3e7b1736f085fb4657c234040d565a738802d2dd2456ee1860

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
92KB

MD5
3eb485457f67b7d7a6f04caca6957841

SHA1
b0ce8c385d29a12ae149d00b911bdc6e4af16bde

SHA256
6ade5f5bbc610a0cbba76c5868d03de32e8f9de4394e602b79564b585798f6e3

SHA512
92bd969599c0830b34662afe2dafbeeca8fa29c16afbd09e2b31c459939572fb94d113b2039d07740fa40d7749e5f9da29c5d5895e3daa14fdbefa7c14055801

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
92KB

MD5
7b53f52c17c28bf756ec5b91b1fd5d66

SHA1
dbb68e833e5054984d98fad7b8e399d4ff0f2096

SHA256
a61f65f55603e708e2cbdcba7318b0c23acbbfaeb325959aa078fbf63a9bc83b

SHA512
83fb710d074f7b4947d332d9f6fafc94148515c14db1a591af8163a126cb0cbca3483e26a4881140650eea036c464edd95c50ada787c809fe2a32521b6ab8e9a

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
92KB

MD5
d13c705b980dd1db92a8ed2bc717b8d7

SHA1
43e76f431efdef5721bd84f49282b5260754b53b

SHA256
dea99d86b43b8026d66c44b6034b587bdbfa18aab5435c0978614319faf96efe

SHA512
8ba344eabf9835703d70d6a9ead995e043694f0e2158d174f0c6ca260be2ba7f519d1463bdc3847e96251adfbf45f4e196d6fd34be2a7d9147864e42c20a12d4

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
92KB

MD5
1d293995cd4ea67301430d766cb5bf91

SHA1
dd8fcb14d9533117f6b5f74e90a993a0799b61b1

SHA256
1ce4443347545623946307c8965f295a49b8d3e23d17e7465ccdfae50acf297f

SHA512
aba4e72f799dedef6b5a4e6027167bb9c1ca9954ae3282252663caaab51172477193bc5294398a8e68a475804ba4dd7b95810147ced8fd55f9cfc809ab842f25

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
92KB

MD5
1efd9666867b77816827e65d2bdd6df7

SHA1
52401c0eeca9d54e8f1f3b9f82ef0baa0d08398a

SHA256
820b0d3e4f80851ed147ad8369bce7026434b7d4e803961908f14237e8358e01

SHA512
b2d8cbef5f5eeb9ae280eaf49ee59687d608e1bd927a2bd501b1e67690558674c34a00ddc2352aea30967ca1c941fc99bac5049b055632da2f60afcbc611fbf3

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
92KB

MD5
d5daf97d764913c0a1aaccce0dbb9b84

SHA1
02eb2918a8556138fd97b583a2a7d85e67285ce6

SHA256
cc2c9d3f8fcb56dc3587267e13bc63be24f69feffcdca68575d2420f7777bf3d

SHA512
44e63c5e7c930e74555358f34543e45b80b2c1a21cc3779e3ec4ed9ed247c832edded6325e09834175d923673fd131ba0a3ea1c85423812257111074d81136c5

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
92KB

MD5
9b06eb22eb9884c41627624ef34c595c

SHA1
98721385be73bcac5fae417c129e5428318647dc

SHA256
d0318984c5a974ef7aecc9c1438d392a1564ab3abf16603f0adbd8969a3e6d5d

SHA512
8e018c335d19125dfd7201b7c91dc72eb2f6a5024eca52c9cb8ef4fc6e0480e14d5125940fce1701e104087439ab6fb6aa207e40093df85a45c10aa392fe88aa

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
92KB

MD5
2d39f91fe513c6f03467cad65cd844dc

SHA1
03d5e12ecd08b8866ef5b8fc3cadfb1d420a1e8b

SHA256
ec143a80eded28e706fa0b8d54baf459e690593854e57bf6d526eefd7afa280e

SHA512
1e2b42bd17747403345c97ed55f29596053a0cd2c35c6cbaa710a32e147bf0afa31b670c2c01dfbd867e2d5fbdba276d237f0350712223f75cb999e4db5dede5

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
92KB

MD5
9d100e688946cfd431d60e83147d9bd2

SHA1
e8fe0f72fbb52f778536ce562499319cfb0801a0

SHA256
df1a4ef1255a02827d2f0456a22857e38fa0d8e7b566b5655b455b5ee2601c8d

SHA512
3c85453afe492ec200c9b19a4379e5a64cab000c1866b5720760e7bf25d161c41a8579e0b40a57433e3bd3ba49ea0618253250b4a68e4ee2e7f5c663af93fed9

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
92KB

MD5
af0578c98c106184ecad37d34138b2eb

SHA1
45568403c404fc4e6bc312f5238fbc2589545c46

SHA256
48944404952171f58b506c1ae0f8e52f057f4dc8bb05291d246d726bc747974d

SHA512
bd48edf898f904731b70562168a85c8244c45575c36416505dfee0430effe1a3162864278c67deea0da2cabe34a46433fa438fc1249e9335f1541c716e217f90

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
92KB

MD5
44098b69186062bccb835b78ffcd1564

SHA1
494d18dded30c4a32b742c0c9e42a7f445cd6f05

SHA256
4c9afa9f243e60a70a1c2ca052737b453d27beba32774b01cf26947dc00dd3b5

SHA512
8feeaf276826aeae4b24edd4966f1399aee46bdb78e20954f6e9657457c403a87653e7d4f62ec6c7eddc34e9180f53201760ec2d7d3486790df90ecce2e9bc2e

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
92KB

MD5
9d32dbdc82f854c7402093b17219ed46

SHA1
7d5307e4ceaf93ef523a8da7c1fc77836ec50c52

SHA256
812d1d4545dfc4a8d56f2d4a0e15ff509d3deaa32fcc6f280ce73e020b7313c0

SHA512
979244039098ade2eb8057ec988a8a851cde57064e42d8141ed32d69eb5f0889d53034a06b0388f5f04332fdc33df2846ff0e7517df7e40bb1adccc727533f40

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
92KB

MD5
ee89756b2dc6da5d82e5298f70a72a8a

SHA1
b4aaf9af591faba21d8317d1cc2cc71f495369d8

SHA256
f39cdc4474871254c5376ec6a6d4d22d4685007fb80fbc454b22ff26e873c27e

SHA512
0bd3fee6c8239f117f95e431a7fd7fcf4ebf58df5107da45f71d8ce8235b46e74392fa4c04a05b9c213f79076ba92cef7c0d57d102951c43b026ebfa603cf4ae

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
92KB

MD5
9e7fef23ef93b4aeed05eda22d4632d5

SHA1
e322a47c9439b652dac7649927b690e2a53f5250

SHA256
a4a3522e0a4bd638317fea0ddb1c4649600450e41c93bf9dfffc7ef3f0598a40

SHA512
4a3b190c68399567480b0c7dab79c2e2d879121d8428507df51fdf2e27923a7571bedc14aa5fb33e4c90093512a1ff538dd62c5e261e69bd3eae4f267c055440

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
92KB

MD5
d8b133d5e9bf1e36ed983a4f11623b04

SHA1
79695826f55840a85c1c49354f684ef55e0a9876

SHA256
160c52e0d9275e7362203bd7e40c03f8d6bb20c216436ead1f224a0d095c1506

SHA512
b6c2dd77a46dda6d68c46c978dcf291782dae1bca6cad0ccfb700d3638b63c1e77add05d2d5fe2074edf2a73d3e6eabf639d010c8c79215b229572bdb0d7296c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
92KB

MD5
c094fd93ce230e75004a1aae3a1f814e

SHA1
445820acf77f3b2ebfad0ef7fc87558bb453f3d6

SHA256
e7c33b525f78f913fa300f22691ae11c907f0d3badabf0bd42f53188f87afbaf

SHA512
b1c61d63d1b9e1364925d61e1776f2034771f644bb34983aae3012514e02205a9cd97e7a73f07a32c9af05ab4a503cb15ff40f4671b199ab8355f52f7da5300f

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
92KB

MD5
5f732fca4a8213193be7d158915b76ff

SHA1
68d09844a4eb6d2f209faa682d957d799477423e

SHA256
97a2965b6f5a251667dd8bfc16ef34dc3170f2de3debaba66a4d4b5d1e5f3c9b

SHA512
de25ad008b58b9e5d204afc62c26db18807ba6eea7773077172813aacf99f4bdf0a6ba8e879b7247e1a414de4e7f0765cfbd5999ac0f86f1f9b70dda70c7d891

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
92KB

MD5
2f5e5c1458dfc9a0c2a9b60783444f08

SHA1
2639653c34efc0a7e6682d22ce1f41c85bd63bc3

SHA256
9f6530ac084d2d06a45c44ce870dbc0829fd7cf0705cd7788b04f73022e666b2

SHA512
d60846e1b662d4d6a3aeaf2c0ac4884ea1288f34637a19bd6f8002a040b38bdf40643fdf17a3d619fee81a5cea1258961b89ce77749db2069a6498179d244516

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
92KB

MD5
cfc108a4e3f1c641a2b0d924241cb6d3

SHA1
69b950e4618419f93f236fcc794ee63e31c93eed

SHA256
29054c9e27041e10095018aacabea794a1ec2f7ea64406a2939dcb9e61a123ab

SHA512
4d683409ea73fb0f40ced6daba17b7af3e0efdd80ffe5740e029de827916b26fed91cafd4ae5c34ac313627e31211558041d4233a2464d37a2a975562c07e321

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
92KB

MD5
4abd022d0c383694668d3c4349e91be7

SHA1
9befc23b9dae187e8af80d9366abef3096524704

SHA256
6efadbaf15ff57a3ca117dbc29311dd8821b5e6bf33f5d6d6b0c14399719cabc

SHA512
d1575a4f280d15d61ba25eb87e2a89a87ed3a9cbf036514f464967e02098e5900733e0b14d345d053940c8fe89efdb6fe95c6962c2654892e478ad455c26b103

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
92KB

MD5
aa8934dd56b422b014b28e5bce78af71

SHA1
12858b6838afd4b3b6238dc676642ecec6c394fa

SHA256
2685229eebfe991e1900716184a1f1d5301988a5a4169642a7e65e21992c03fe

SHA512
9d9ac494762fe88021c5de911d2da0c5ebb3412abf1a3ef25bc1118f27e24b6de5e7899f9404f1e2ef30a2e0849d45eb409092e319bd55991401d922f68ba29a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
92KB

MD5
dec9ef69e7a775f077f9a13d4137407e

SHA1
26465eb00e11a2e2c50b4b609cbd320eec28db51

SHA256
b464fd205d41692a5eb2539d9b22658b912fb324b9c652344b931dc13927ce7d

SHA512
bbdf56d55f3787bc342dcf28d5ff60ff9949ec2e7c39e7d84210534153544264ea9d74b6592edf74957c2aea3a75b147f33e00e1d76bc663585dc6e4e00f7773

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
92KB

MD5
f6c92a1f385a8948fc80b969ad8bbf4a

SHA1
df2f47df119bf6b2e8601fa34baec59a4bbb709a

SHA256
bb2092c54b5d57bd2c49730d41c1938a82a69a4724a2400262114d631b5bfce1

SHA512
edf4b7eb0f3f6c4824e6471193c69b91585988c0c18605fab8ad5874827bd65d2b22ff04cf341872b405bbbe989ababeeed20e69dbf416efcf29e91278db12ad

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
92KB

MD5
266b26b756ef538321149c98cf787865

SHA1
6ea76da661b53e2805ce3f33e145f3c1e6d39a03

SHA256
42d0ed547c464756a71ce2b36c1d37815312807fadd2bdf9f79347df50835b39

SHA512
693c5c606d17dc0afa6b7c2c7599d4963fe81da5502704cb74ad6a358b7d28eaef7cf96a844d0334ef5a0e72f4cfd25bd3524ddd1ddc6309f956ca55b37a3a08

Download Submit
memory/60-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/64-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/436-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/440-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/532-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/540-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/540-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/852-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1176-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1300-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1356-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1968-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2148-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2244-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2604-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2620-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3132-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3176-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3252-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3264-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3404-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3448-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3484-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3688-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3784-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3852-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3852-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3968-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4124-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4232-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4236-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-573-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4360-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4528-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4756-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5084-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads