berbew | 1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97

Analysis

max time kernel
33s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Size

67KB
MD5

ae34176e4c0d75ab72e115a4e857e610
SHA1

9dbd9d9791edace9129fdaf3d9accb34e7550903
SHA256

1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97
SHA512

78d98b779ae1fb66a990ebbfb51e8def8d7587cc579864c326d6c42cc9cebb328bb6be79d2098b99f6db63f36c2841832a4e2b2ce6856a2558b3bb57e0086ea6
SSDEEP

1536:WNBdwmKCAt8xJG7/r6QydRwVk7NWDNX9sJifTduD4oTxwf:WymKxtbzr6f8wNAd9sJibdMTxwf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2596	Onpjghhn.exe
2236	Oegbheiq.exe
2700	Ohendqhd.exe
2708	Onbgmg32.exe
592	Oqacic32.exe
2916	Ogkkfmml.exe
2108	Oqcpob32.exe
2572	Ogmhkmki.exe
3028	Pdaheq32.exe
3016	Pcdipnqn.exe
2940	Pfbelipa.exe
2264	Pgbafl32.exe
2556	Pjpnbg32.exe
2124	Pcibkm32.exe
612	Pjbjhgde.exe
2392	Pkdgpo32.exe
2364	Pdlkiepd.exe
2900	Pmccjbaf.exe
2332	Qeohnd32.exe
1200	Qgmdjp32.exe
2112	Qngmgjeb.exe
1584	Qeaedd32.exe
2804	Qkkmqnck.exe
2764	Aniimjbo.exe
1244	Acfaeq32.exe
2328	Ajpjakhc.exe
1480	Aajbne32.exe
2980	Achojp32.exe
2360	Ajbggjfq.exe
1228	Amqccfed.exe
2976	Apoooa32.exe
2860	Ackkppma.exe
2876	Afiglkle.exe
2776	Ajecmj32.exe
1444	Amcpie32.exe
1820	Apalea32.exe
2004	Abphal32.exe
1988	Afkdakjb.exe
2204	Aijpnfif.exe
1376	Amelne32.exe
1328	Alhmjbhj.exe
1804	Acpdko32.exe
2672	Afnagk32.exe
2524	Aeqabgoj.exe
1796	Bilmcf32.exe
2740	Blkioa32.exe
2808	Bpfeppop.exe
2616	Bbdallnd.exe
2592	Bfpnmj32.exe
2368	Becnhgmg.exe
956	Bhajdblk.exe
1888	Blmfea32.exe
2996	Bnkbam32.exe
1680	Bbgnak32.exe
2316	Bajomhbl.exe
2284	Beejng32.exe
2156	Biafnecn.exe
1064	Blobjaba.exe
1580	Bonoflae.exe
2168	Bbikgk32.exe
864	Balkchpi.exe
2372	Behgcf32.exe
1724	Bdkgocpm.exe
1732	Blaopqpo.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
2596	Onpjghhn.exe
2596	Onpjghhn.exe
2236	Oegbheiq.exe
2236	Oegbheiq.exe
2700	Ohendqhd.exe
2700	Ohendqhd.exe
2708	Onbgmg32.exe
2708	Onbgmg32.exe
592	Oqacic32.exe
592	Oqacic32.exe
2916	Ogkkfmml.exe
2916	Ogkkfmml.exe
2108	Oqcpob32.exe
2108	Oqcpob32.exe
2572	Ogmhkmki.exe
2572	Ogmhkmki.exe
3028	Pdaheq32.exe
3028	Pdaheq32.exe
3016	Pcdipnqn.exe
3016	Pcdipnqn.exe
2940	Pfbelipa.exe
2940	Pfbelipa.exe
2264	Pgbafl32.exe
2264	Pgbafl32.exe
2556	Pjpnbg32.exe
2556	Pjpnbg32.exe
2124	Pcibkm32.exe
2124	Pcibkm32.exe
612	Pjbjhgde.exe
612	Pjbjhgde.exe
2392	Pkdgpo32.exe
2392	Pkdgpo32.exe
2364	Pdlkiepd.exe
2364	Pdlkiepd.exe
2900	Pmccjbaf.exe
2900	Pmccjbaf.exe
2332	Qeohnd32.exe
2332	Qeohnd32.exe
1200	Qgmdjp32.exe
1200	Qgmdjp32.exe
2112	Qngmgjeb.exe
2112	Qngmgjeb.exe
1584	Qeaedd32.exe
1584	Qeaedd32.exe
2804	Qkkmqnck.exe
2804	Qkkmqnck.exe
2764	Aniimjbo.exe
2764	Aniimjbo.exe
1244	Acfaeq32.exe
1244	Acfaeq32.exe
2328	Ajpjakhc.exe
2328	Ajpjakhc.exe
1480	Aajbne32.exe
1480	Aajbne32.exe
2980	Achojp32.exe
2980	Achojp32.exe
2360	Ajbggjfq.exe
2360	Ajbggjfq.exe
1228	Amqccfed.exe
1228	Amqccfed.exe
2976	Apoooa32.exe
2976	Apoooa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Onbgmg32.exe	Ohendqhd.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Kjcceqko.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Ohendqhd.exe	Oegbheiq.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfbelipa.exe	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqacic32.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Lmcmdd32.dll	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Boplllob.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	1508	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Becnhgmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2596	2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe	30
PID 2840 wrote to memory of 2596	2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe	30
PID 2840 wrote to memory of 2596	2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe	30
PID 2840 wrote to memory of 2596	2840	1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe	30
PID 2596 wrote to memory of 2236	2596	Onpjghhn.exe	31
PID 2596 wrote to memory of 2236	2596	Onpjghhn.exe	31
PID 2596 wrote to memory of 2236	2596	Onpjghhn.exe	31
PID 2596 wrote to memory of 2236	2596	Onpjghhn.exe	31
PID 2236 wrote to memory of 2700	2236	Oegbheiq.exe	32
PID 2236 wrote to memory of 2700	2236	Oegbheiq.exe	32
PID 2236 wrote to memory of 2700	2236	Oegbheiq.exe	32
PID 2236 wrote to memory of 2700	2236	Oegbheiq.exe	32
PID 2700 wrote to memory of 2708	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2708	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2708	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2708	2700	Ohendqhd.exe	33
PID 2708 wrote to memory of 592	2708	Onbgmg32.exe	34
PID 2708 wrote to memory of 592	2708	Onbgmg32.exe	34
PID 2708 wrote to memory of 592	2708	Onbgmg32.exe	34
PID 2708 wrote to memory of 592	2708	Onbgmg32.exe	34
PID 592 wrote to memory of 2916	592	Oqacic32.exe	35
PID 592 wrote to memory of 2916	592	Oqacic32.exe	35
PID 592 wrote to memory of 2916	592	Oqacic32.exe	35
PID 592 wrote to memory of 2916	592	Oqacic32.exe	35
PID 2916 wrote to memory of 2108	2916	Ogkkfmml.exe	36
PID 2916 wrote to memory of 2108	2916	Ogkkfmml.exe	36
PID 2916 wrote to memory of 2108	2916	Ogkkfmml.exe	36
PID 2916 wrote to memory of 2108	2916	Ogkkfmml.exe	36
PID 2108 wrote to memory of 2572	2108	Oqcpob32.exe	37
PID 2108 wrote to memory of 2572	2108	Oqcpob32.exe	37
PID 2108 wrote to memory of 2572	2108	Oqcpob32.exe	37
PID 2108 wrote to memory of 2572	2108	Oqcpob32.exe	37
PID 2572 wrote to memory of 3028	2572	Ogmhkmki.exe	38
PID 2572 wrote to memory of 3028	2572	Ogmhkmki.exe	38
PID 2572 wrote to memory of 3028	2572	Ogmhkmki.exe	38
PID 2572 wrote to memory of 3028	2572	Ogmhkmki.exe	38
PID 3028 wrote to memory of 3016	3028	Pdaheq32.exe	39
PID 3028 wrote to memory of 3016	3028	Pdaheq32.exe	39
PID 3028 wrote to memory of 3016	3028	Pdaheq32.exe	39
PID 3028 wrote to memory of 3016	3028	Pdaheq32.exe	39
PID 3016 wrote to memory of 2940	3016	Pcdipnqn.exe	40
PID 3016 wrote to memory of 2940	3016	Pcdipnqn.exe	40
PID 3016 wrote to memory of 2940	3016	Pcdipnqn.exe	40
PID 3016 wrote to memory of 2940	3016	Pcdipnqn.exe	40
PID 2940 wrote to memory of 2264	2940	Pfbelipa.exe	41
PID 2940 wrote to memory of 2264	2940	Pfbelipa.exe	41
PID 2940 wrote to memory of 2264	2940	Pfbelipa.exe	41
PID 2940 wrote to memory of 2264	2940	Pfbelipa.exe	41
PID 2264 wrote to memory of 2556	2264	Pgbafl32.exe	42
PID 2264 wrote to memory of 2556	2264	Pgbafl32.exe	42
PID 2264 wrote to memory of 2556	2264	Pgbafl32.exe	42
PID 2264 wrote to memory of 2556	2264	Pgbafl32.exe	42
PID 2556 wrote to memory of 2124	2556	Pjpnbg32.exe	43
PID 2556 wrote to memory of 2124	2556	Pjpnbg32.exe	43
PID 2556 wrote to memory of 2124	2556	Pjpnbg32.exe	43
PID 2556 wrote to memory of 2124	2556	Pjpnbg32.exe	43
PID 2124 wrote to memory of 612	2124	Pcibkm32.exe	44
PID 2124 wrote to memory of 612	2124	Pcibkm32.exe	44
PID 2124 wrote to memory of 612	2124	Pcibkm32.exe	44
PID 2124 wrote to memory of 612	2124	Pcibkm32.exe	44
PID 612 wrote to memory of 2392	612	Pjbjhgde.exe	45
PID 612 wrote to memory of 2392	612	Pjbjhgde.exe	45
PID 612 wrote to memory of 2392	612	Pjbjhgde.exe	45
PID 612 wrote to memory of 2392	612	Pjbjhgde.exe	45

C:\Users\Admin\AppData\Local\Temp\1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe
"C:\Users\Admin\AppData\Local\Temp\1cb1877605fc7202cdeb7018403dd53d5a50cda34049fcc52d9ee03946ff1d97N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Onpjghhn.exe
  C:\Windows\system32\Onpjghhn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Oegbheiq.exe
    C:\Windows\system32\Oegbheiq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Ohendqhd.exe
      C:\Windows\system32\Ohendqhd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Oqacic32.exe
        
        C:\Windows\system32\Oqacic32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        66⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        68⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        73⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 140
        81⤵
        Program crash
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
67KB

MD5
8add0061b26ac223e27549a6656b4159

SHA1
05e076470160bf8818343dab3f1246796931af5c

SHA256
1a0cdce4120451cb1c05743feba37c527cf2af5e99477d12f72d7c205bb840bd

SHA512
1475db717c162651b90c28b1b28ba872a31496a506fac20f1b18a94ff711d151583a94c831aefc19654b406bd6615c4cc7e90dc5fa8623a6c818903a26fdaed5

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
67KB

MD5
dca0c461ca37f6863a6ea466f5415f87

SHA1
7957d3cc8219aee6112199fede7ff689f13d1207

SHA256
57aa70bb3ddb3f93cde03c3e5a2c5d22206942ebf12e709ccda31977f0350ffc

SHA512
869150623f03dbfbfd35e41e25c3c15449f83e4b21796d4b332f945cdf09a340300b2475b25d7bb30080985c233a9186615b303868cb653ba5c9139daa873893

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
67KB

MD5
f0d425d461fbf6120865e6ee58517390

SHA1
68fe87064139af620096ae9188c16f1ce2c3160f

SHA256
558a3a510d8ffd68edfb901126438817c7e0e7497d7953dc77186f02c8f88c92

SHA512
cad7ab977dd31543f3b73a9fc541c18e030e62758a596a9ace004756f318ab0d163f234763b5e562be47c454e1ee1e85529d3e8fb3d8747f5787df5807a7705b

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
67KB

MD5
57d8f09e330216ea7190029b1880940d

SHA1
bb57fbd002d960b92f7ffb612ebca274530ec30c

SHA256
78374690b2d65366cda53c44f7a16b738fa335b3d123fa8de3d961bffb6d2caa

SHA512
d8f915814eacbfb7848786a7d9100efe25c1ec4de635f16466e030403bbf7fe78020261baf7e2b993dd4b242d0b8ada3a86e692adb33876e1ee6ccbfee756e44

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
67KB

MD5
e01d025f26ba0b18fc3d01a4cd25a2a8

SHA1
e31e03d1d8d2541f5e962af2b6b4606c929204b4

SHA256
ca56680c575ff513292d1183a6bb6d44bdf5c3974e61578d846f4536cbdd05b6

SHA512
b09055804e962cc5396b7bb34a21ce337c0af5a4b9dc86d0f0a6bab2bd1d66183b6cf5ca696275099654e00cbd1549d1a442ce6c41346fde49c86c8105981272

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
67KB

MD5
9dd11118bfdb9fda1916b5b4ccb23a7f

SHA1
ca5206c78e601f4ca2e2501b9415bf39a310bd83

SHA256
5684d162ba235805e3939fb36787f8f35de9b8db7dd943fbb8ef4b6ae27a2538

SHA512
8d00fe3f344394229f45779482d654aae894157a52f005e44d38b8eb0d81a533d2e7399527fb7c96adc0f0c93278e2a2e552a8bd811670f4427cf6cf0ae350c0

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
67KB

MD5
11cfa15f4a18e3fd992aa5df05e7849d

SHA1
68e68d87e57107f05b3a874c322fab18c2bd4979

SHA256
cbce92ca07d1124eefbfbbdfe8404b8c9317ad0b264990903fd687d036c81735

SHA512
4b9940621341d9bc1d59b4bf5df535d07e2cba684a3c8a8762cd753e0694643cfba7e8b48fa52db5d36acfe47ce8e07c99f8b4fd9db5d9c345ea31140ce47d58

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
67KB

MD5
371c7fa7b0f4dde4a5a9192b84ce3f53

SHA1
0a3def301dc56e3f0ba9c93c10bed0a2a843de0b

SHA256
5d7398d26924d2a6dea0cd50f0ae1723278f207bc76ea9fd8efa9bdb8a864f51

SHA512
f9e06505af04e652ead934ea1184b27f84db2efb20bb8cc8993e4e228d3463ec7b63da58ea143fb6535f3f0d4aad379f2f19eefe78c4607495939812a86e48fd

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
67KB

MD5
9c2e623dba0a80617f9d0ce670524657

SHA1
532c303bf129f2f9d548df3446977d2a9f4443c2

SHA256
1614880f76a3fb0dfe541f3305ef8f4fcb3590bba5bca509754194a4a3d8ae27

SHA512
e0ff439d5d538ff1e96df69b1106ed61bc193fed9902cc69421aa10597fa5d2348e04d520005596e020b3d099d2e17d928e48a7afdb032c54e6216c7dedbaeed

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
67KB

MD5
19a02239233172f5a1682e94d0b17aa8

SHA1
5614e7db4b125f528f5504ac0f33a66569662702

SHA256
3a96b98bc90c2432720458cdd843542b192701406e7fb9e373edd3398150b8af

SHA512
45182b00efd926b091f496866789e40e3fefc249120294eb1a81f34a05648d6711e4601791b26df56dc9906624f53a87a96ca0d1ad0a0d39c1b18a8c3bc2b661

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
67KB

MD5
bd6fc3325c009d092c84af8756167b34

SHA1
d5a5154688fe4c3a2a312e8e9907adf2d817cb3f

SHA256
d9d79caa09de32989dbdd0d8aa1c2e0462a229ccfb6adc4db51cbed4ec223db2

SHA512
7b8d18bfb70bffc28fe1c312e605c9c2c4f163b5ae73750a23e565613c8cc25083b2f6f48b32090a94140d2cbf8cf6957cad8ffd7441d8a70642f194fcc514e9

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
67KB

MD5
9f75666a36c75333813028870bc44f25

SHA1
443bbdf26d4fbd1b49a634818d8c89504f1e67cd

SHA256
d7c2eb06f7267c9276c85b348a7c97b357b9c4532b18b27ffc023c732e9887ab

SHA512
fba8d560aba461d6c1c02600998baadb9b6394a721dfc098552e5eeeac2cbab7195d155c224d849e3e03fed0343c94166ad82014b81d0b6cb06739e29672ca58

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
67KB

MD5
fc95fc51e5027b781bd7c3a8a2b23b0d

SHA1
5174e558923a9f63dffb45f438c603ba7d0c6bd2

SHA256
c03aee1f9b49f9ee8ec07d5ac6be5c96e887a572236523d987cb168a9e2c5b5e

SHA512
86b14dc2582f9682f28e6c6f6cbb508939a44ab151cbca67aa7a7c65c48a5eaa2fe975d10c033740179bd421041230b7074beb774f190a84a16421b828aa8a36

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
67KB

MD5
e1f8b0bbe3b82cadb27214353cf10fd5

SHA1
007a4ffe59caec966ee2661f4f4d23b857491d93

SHA256
27ea90ea914822897dbae35f37d4eff96cca8cadbc1f83945e4abf4d76e4ab20

SHA512
aac95277fe765ebd5f9e91de8d4ec822dd9765ffd4eee4a667b62d239d23988b2ebfa14f627686624a5fb6d6da8b11bc37c0b51ffda378ff1064472bb8bbaf46

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
67KB

MD5
4dbd4505406e1567bb1dc7a169c03c4d

SHA1
5583ed0837786b60d6f8a1a4f67c431e4927ff23

SHA256
deb8cc83622ca42f0d9054a8e89a46eaa00b53e436c388352cf043f95d9014d5

SHA512
db1b1df1bac61863a31f4a89c8900c2b6e19c2bd4c0bfc7da295e9e7f3c43eeb60562c5b08bf007260aa37961ecba7e2f3d88305e6d730462ab67b2bfa781793

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
67KB

MD5
f1013c90a5bba720fdaddf0ead91bb54

SHA1
960853b64e4a47f5d02f311bd6f5186c91699019

SHA256
fc56301124aaf8a44606948f4011c7638630b4426775cd9ce5ba51b04ea62c95

SHA512
f4d868f1a317720a29277ad4b7fab9daa5d1dd1f6ef0721e4420237566350b4086bd3f97f100ff4095abfa20f58b6f832d6b7d75d8517c4937703e5f8bf356fb

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
67KB

MD5
8795160189741dd9e82b9770f8374572

SHA1
5e08002a50121950b06115447da594c0a106b4ad

SHA256
a9071b50e74f07fe06e560b7af26ff91fcef01c0425892df9060e70253e880c2

SHA512
19f82fcdab3a7466871fdf5b330c940e41a48caeb3f4d18cd437e4135197f7d486bd5fdd6096833420367f2f823ed814c42343a3cdf2d95ab888de481ba63f46

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
67KB

MD5
f91234e092d1b55fbb2c76214d65404f

SHA1
9d4a14042c0d31db995e64ec5ad17613f9f39e70

SHA256
8af0131d88535011e6eaf78a30653d5809a9c9070c59a5edd1e1a1793526f624

SHA512
5c0b41136f442591ddfdad56bd25c8501e69e6442d553be1032704acc7b52721784f939c5144e8ed195860e592d5298f37b9dd13d6f0db531c1b4b6f10398cb1

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
67KB

MD5
e103f3d44413b5163ffc024649fd17a6

SHA1
f936404e36d6e3c8b9d71adf1066d08ea24b554e

SHA256
fa6a868703153880151e8af121eb89bb80e1c3eba223e996a8b84fa69abd4427

SHA512
63841fece58febe13c0fda7fc58e70ea0c4240ee324698dea1256c80e3828e2b7582d720e500b91c77be6544976438446543329fe7fc18c8f39bc224a9d29bbe

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
67KB

MD5
43ee4cfd5b9f69d984198bf37e12a22d

SHA1
cf49dd4780e58b18a85b6f628572b005e39247a1

SHA256
d0a30b45d56424a6dd9980e6937839ceb5a1dc8b496cf6ab94b6fb3ef1ee172d

SHA512
5ef9043152367530cf2565c7b2577605319d4422666ad60abd1db7cb025f606364f796121f6acd039bb3105e09de873e2481313b426ac3556944a1d16306596e

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
67KB

MD5
cd7b8df4b9a4727c1baca41356265c24

SHA1
e42f6117fd9c0f845fd61a5535ba5036b9c4bcc5

SHA256
7a0f817d0d36adb36c8caee6e9df1edbf3a9793135fa711ac409fb7d11d53364

SHA512
7b24c6f6a88c4328556987ea0a39384c7767a0cf56b4e3ad2352cea655e20947aeddb48607580208c311ee0ad328444cbbb1eb660e99c01739fc86c54f8e5a0e

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
67KB

MD5
ac496cf04adadcdb9d3d03424513d51c

SHA1
fe448171bfcbaa91cc6ec808967995a76b5b7688

SHA256
e83acbd916dfa865612ade1ddb931c83c7ace4d69a4d88276786090cf6678bc3

SHA512
76ba7156a342c2fc3cb8b05c934c7cc8b75e8e657bce145aff11c91417336ee2bebe08682e31a3c9d81b1bd682f00102f70f76240caa2a0724bdb48804eda8cd

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
67KB

MD5
e975d01a7ebd22d89426c4ccc2a37a70

SHA1
3d4562f05a37815e87d4a2785f87674f0f7dc071

SHA256
2037fa3e540430d7f1ef15d50231a55766d13c0c37d4c3a9a1c7a40e95c8cd96

SHA512
b79cbe584e36de0d6fe04600cf66c5781ade306a6a0d7e56a6fb564d5fa9afc80d1afd7e50185b0803ef1f06363bd5598c96b1406dc39e520f1d6409638437cf

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
67KB

MD5
e7dd909ca413d69a02313aeee19c19aa

SHA1
8bb670eade1597d1f1a6254b86d2d5d972748c38

SHA256
1e93b8c5c9e14ad28a72eba21d864e527e0fd1e0ee242056fa5dbb32d05b5f33

SHA512
c1fc365563cdaa61da944f869126c8cddf8d3580ed7ab0035a8e2bd2cc4dc50c5a15c9cff2c0aab2131b0890bb61a866f80d916b9f09e3d5f5cce718fe883762

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
67KB

MD5
ea3b806805b6ba05477dd0c7850ffb7c

SHA1
606fa6b658565b355fd7dc3adda9b05ba3e43324

SHA256
f60666a722cd6e413386c064cd0be2a21628a9410ec503e1eec9e61429c7b284

SHA512
1394c2088278b08c5ade731f7288ed052d5bb78cb0f58755c00f3d9f68e85288d08f77ea532e6e724dac75049f75adde60ed24ca4b2a9f07ef62e0b2a3b16434

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
67KB

MD5
73128858d49d5f807a7e13f81b34fb7a

SHA1
186486ea99434991b500983e260c81ab17299e31

SHA256
2bd755562b0ccdefbeab01b7c19ae3159fdd71339ffb8273cef9ba2d373c71f4

SHA512
65c15794cdb546b4fa45ef422d1f3206fa2dcee20b0b260e624e354b2e627965250c8169fd447a85a6de6b2a789865cdc295ec0ebfaf7bc19231966fb42c8cf5

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
67KB

MD5
e1ef482bda079e7c0415b0ba1230c6c8

SHA1
2646e61e002462499c1b89772027df589ec9d658

SHA256
6d6ff02fd735fc2ed1a8cc1c5ce63b3b8e779a05a919a6cf513dc527418858bb

SHA512
9a039d4a7f56cc2ec221fee46d090903bdf89f5b7b8dd998b7220a248ed2c16ac01baa02311c3248b53ce485cf5e7dee092b14c7efbc77af3112704d8c4eba23

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
67KB

MD5
4681b997c9a1c95a022a474ce43696df

SHA1
dbe5f1c9f8cdb50a9f36f74a3a85bebf97d7994a

SHA256
5f224bca813668c8ca14e253de9e9718b09869fb9da685a47382665d00151451

SHA512
6b1724bf152fceaddc4d335093cc0dedfcb2f442d7b8ed78a0e8b77459e6a72129b06a8b3fc1090f322334872e973936f6d3c9a70a43c391af7c5eb05f421913

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
67KB

MD5
7de53de39e51cebfbde05f5f434b37ac

SHA1
50fb78f2abd88ed8958c2e4e9d3d323d43eef6a7

SHA256
cb0b2bd486423ff9ad18b58a5e632d13811af7ccc82517d3324dcb109389a788

SHA512
ff1a4f6b3e669205e5e5e7772532341245ee0ede75a5240d1b9df742807b5e4ba05233fb6b2716a958a4c720f0e8ed7c99bcd2a0776c554f53af36ee335d6d4c

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
67KB

MD5
e605766ffe306d9951ca114ee6dae380

SHA1
c41dce56c5880e33b1f02e31715ba05f9af85b39

SHA256
8aabbeab51d3f7546b111d4809421bd4ea0493ed8e6f55bcde395725f8d0fe68

SHA512
62ff9175139eda5450674f11c7d12a01a2d20d008b01513c46b8da68e45383e5211a09f1cdee28b82bb7947f7929085ca0804b0587a0caa6453d1a63e10589ce

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
67KB

MD5
2062eb1cb157946e47cea45fa688a796

SHA1
9af9a6239a5e0a48571390d8742cfa9336819c91

SHA256
d7571ceab5e5f2bad654ae194b14dbcc5e53428914229c36ec919fa54ab4d175

SHA512
a3628a0a29247e208d9cb5285b0e3ce7ddd8e1526f85bdc557b0df8395a619ea81ecdeb27289ed356eed19d821075f0c55f0cdab7ad17fc062d4a49b8f93f1c6

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
67KB

MD5
bed257cab92ffe721207c28eb6223558

SHA1
22e9a43ee41b4670551356112f597c7c30b0c6f2

SHA256
cc65beea9d203c9b973afa108ae3eab6e8eb85382086427529338583f46d8c3c

SHA512
66a2d427b8295c1676198236423d492c7cf88fa0defc2a3f31c8b8c91676f734ff9268ad04578ac2984a6001d4ba9b30cd3b53000222c357479fbc920735e963

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
67KB

MD5
74ec5c062abe634f25cb254c5c147198

SHA1
1817a0eb73bc4b671167aeed21ec8af47c713cef

SHA256
fcb06807861d7564cb5240529a2dc961e8bcb2660045624dd43b87e3176b9999

SHA512
9f8df10b726ac5feb01c2f9fdbf79875ee54660b3ab0dd5102b538dd717cec22d07cfd8a453fff685ed31a10f6aac22b26306fb398c84133483afcae82887ebd

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
67KB

MD5
70c71597dc21856ab81cd3d755531bd1

SHA1
7ca96cf8e5832f2075b361d6d7fd4762f70b9c81

SHA256
e771fb7155725f79822fdb7b8d6e63b94c0346ec91b070a8800fface6fdc2181

SHA512
bcae01f9e1a95839d2f3396946c305181bf7cabbee2f16c42605371f54ead18b479257140bba7aa09ba95377f6bbae392e12a8951324717240e7b5a44c524f1f

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
67KB

MD5
a2da4ed7544b48d5b2999cd5281ef69c

SHA1
23b5f7e5a07646ae019925ec9195a1a9ebcb9d75

SHA256
edc7e3287d149f09073d66f518f29e84dc1373be4ffb252fbb6c96b290c723cd

SHA512
4ab6dee7a803844c4b9d4865254f2ee309f4502fda67cebf53c3212cf0c309fc63351d18e804d0e789c64fedb02f4c48927973e848bfbf32a90882db2621cf49

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
67KB

MD5
4e4aadc688f27b8b5f43b577c80e1246

SHA1
49d199ccf4ad41c089fd5241a2ed298e339b7e72

SHA256
cdeeb9cdee15e9ed067858274f96357213d94e18e417e768bba488adc4f0203b

SHA512
fa236132543721085800bbd2dfac8cb0df6c740cd2e2978eb42533060231d3e32fa11c71261fc80a8b882995244452b5959aadb587ce943f93b00a085553dbd7

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
67KB

MD5
c918523b74ee96a64242cf24c2de085c

SHA1
1e6cb1c4453cd6d466acee2e1dbc59ab6a60668d

SHA256
06b625e31a201bbf7a0ab5419d515655a5027fcb8176062977646ea2361cb61b

SHA512
393b2b2f253e90a821960272384a48b422a39d78ec1006a7243f7b950208d7e80cad1227daafcb46c27c8fc3e36c7b59aee7a8d486e2654ac73a3a5eb64d9cb2

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
67KB

MD5
5d1e5816807ad4af97190b72f3dccd4b

SHA1
5c7a83eeed0281754d63c9d599932c0e80f606f2

SHA256
9fe4a81ec2443cee7c447bdf6e9f8e6fc624eb022689e14a5dc2a96bbdb0030b

SHA512
ed46c0128b37b77b8f8172eeb9bdcfd06d29f7b70abfa28a788b6351daf7b9c1a96467aa25ac1e71434db0c7f5e5a453831f81700b69a15c58d5383856708a1c

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
67KB

MD5
b3d1c46fdac4e93c55be223e42eb61b6

SHA1
062bc5bbcfdf75649a2c17748df45f973af1eef5

SHA256
623e40b1fd230aa03d6e924347e2b9ae37061e04643d2b1f99becd4c2e75c2a8

SHA512
ef8014480527b8ccff0511b33302cc1a7c40a6e0660b2b3716a3b030ace5eecd2d9f509797288b6fafde97aef06397aadcc317a3036a8aacf145c06a28b2402d

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
67KB

MD5
8b3ae0653b5d2acf950d78b3689ba5b6

SHA1
a98658dbc6ef901f9b49890738c2861960a3764a

SHA256
66b7b03cc08c0ed381d9b347cb3ccce61e4fc4ecc63cd6b43db2a219cde38d6b

SHA512
fda56f5a64640629985c472a4bff9b618acc82cbc0c9ad68d17c44702e439fd71203d523ebf1d3d3b9c5de5073d35ba8fa6b564ac9c7bf0e6086324363ca84dd

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
67KB

MD5
6f08058473721b8c5bcf145a2b51930b

SHA1
7f4fb007973631ca5310320fb9f3073a9c06585e

SHA256
09419c7a62a2fab416aa8a4884f1ed53a7dd7a9f112b84381d163618453dcaf8

SHA512
96aad098f3aba06e1b1b9c1e25cda94cb330f1aa44b57f99824f7c10c503ee5bad0684d7edc227b906a3e426ddb7a4a976cf1c8f9dff6deb17a8c325149675a0

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
67KB

MD5
d2e97ce4c325fef913db64f498088e12

SHA1
ee1d1e41b640169bc43c66cbdae683107822d14f

SHA256
b333e99349bee8fceca9a756d01bf8893cc447936ac39fe2a098f95bcf4f69d1

SHA512
831265c42bd46e9952b6c57c8a18d5a6550dbca81673fe4dd36d7de2629c233a84c1ad590e86550593938fbc262b7668c0bcba907039abf79a5eea5dc15bc051

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
67KB

MD5
9a4ad28983792d8b51977597444c951d

SHA1
0044ca2f15ec164ca929b90ff55a6dd190a1ec77

SHA256
8b882c89d026014d938654445f408c0c5d631bc85d001d97334fecf9de06805a

SHA512
3220c33ad1ee63ad5d76b532a2544df1f3515c14d124ba6a4f71c5fe8a74a537d927e3f91ade02422f3eb7dfe9683a4f1cd1b8eb15bfef19285d4583ea7d0d19

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
67KB

MD5
1dd14f23b658de6c421df3716a638e35

SHA1
fb4d41c8cbac238b4a470e25313819564ed96d15

SHA256
cad2090150e711507e6ade8221fb3c847c5cf4d4a948eb62f25ca06cdd35b4cb

SHA512
02b44bbfab9437f0207ddc998adf3426a23e9d80f5e0bcc477ac0890f907a67663a9ae4a0b1a3f68c35ee2cf7e864e4cf5d871270d5b6a26d4b946e7cf5f8f05

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
67KB

MD5
b97b7c582aa05f8136763596ff7194dd

SHA1
196957393d0cb488865e06e4104fc5ce0e04b091

SHA256
0427110284f5da854013a660b4271e5cf11af5daea4f066f157cd16536269778

SHA512
e69d06e9372d6fec8fbf609dd8bc6e779f8a9d5d532ab1d7908dc0c32e55ce646ce32b6b0b182c3a484e5f85a23b1ea8fb47f40b9aa04fea55585767e51a6880

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
67KB

MD5
82af5f45c7c71cb0c033d7706bc543a4

SHA1
5d73d9ea2a869729eb5b557912df8d44120411d9

SHA256
be3295f0f19ebe8241800196d7a7e2ec701d359e9c0142bdb49e0c3c57a09b63

SHA512
6c841052e5a77aa7632b804c5f17a69c219ee9011e25a95848cabcb8f1f348f481e10eb475798937af0d991f2c84393fcd9cbbc9de64aeb15a5ac4bb994b96a4

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
67KB

MD5
c0f6d7dde39c8be288400d0cbba3c566

SHA1
d6572dd51663ac97576c535505081fda73f34b2a

SHA256
8dad50e77218780c76221c036f051e377b6cfa5329729edd452fe18f0af49cda

SHA512
c6fedde46f9960bd657bc66e8812aa5e9649dd11bba6a29a79ffbb27259e56a405d090c5cf254101af34aa14c51fcb85ee3cb3c65b8dd7acc2b920cae968cf38

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
67KB

MD5
40d83752825524722e8b63aa6acea676

SHA1
b22f092c5882dc1c6c35921ebedf5a609e70fd6e

SHA256
c4bdd0ce3f7b95b768657b8ed30e3c14c25c2dc5d8528429dfeef3a8ce20d6bf

SHA512
a8c4cfdbe9c406f495ad5782617801f39969feaa6bf23e747dfbce2d86ec21cdf02a46bcbed064a6a50afc0736369eb1c2399c76b81588f6b742f53cc1dec7e3

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
67KB

MD5
bf7e9276e21a5d53f382367a02da72f8

SHA1
a15bd28ea0b9a95a4b16d439f11d9d78450689f4

SHA256
0ae682dc1104659efbac84f9c019b1e11ac827dd2f63d8a1529f97e2d0f01cff

SHA512
ad4976233e3356bc204e286e429a62896681f260db9cfd35d2776a73b0a96f6cfeeb063404dcf272d968b0c6c09ad22a30cadc2ca4532e725bdd1689e32f0760

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
67KB

MD5
b72387f3cb3f285278ac880fe5d0c2a5

SHA1
a196ae7894812bb55ab2ff341abbf08f34e34e9b

SHA256
5c1cf8ef7d0b0febef887aafd59febabd30f1d8cfc03be5c77afdd6ab1e96f5a

SHA512
cc261beae04dde4a16783ee35fe8e24710d042533da5de1bc4a7b9fcbd5794cfb1e9f47a939cc1e4a2961e76c0d99e6d7228974573e3c2a2e78b23c740d36a7e

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
67KB

MD5
7cee2b6b155610e1c4333021e6c981d0

SHA1
6d18a0cfb3c10d4c0d002515007558a62440d4e9

SHA256
23ba3badc2adfee05562d244dcdfc5823ef59f71646f8a234fa6061b5f050826

SHA512
6bcbbaffb067b765b35fb04c7e7897e97c587f8f0211afde261199b1bae3ead9244e3786a8098088a573408cd7a526aecb1b2839ccf053a9e88c628eec7c47a7

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
67KB

MD5
ce737dd73f13462e30aacb3530b13218

SHA1
768102cab5c3950e4bf9ae3b432f9b02e27a83d5

SHA256
44d61af5f5d7cefc4953d2a2dc8d328217914ca217b9f6cedaee791976763b03

SHA512
0304a82d2fb29e4718b47ebc5314a2b24146f74cb05f631fea226397129c37d67d0ca0e4309ae64f6b542e5f68aa88723d05023d40cd1fc2aa7f6cd45a143b52

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
67KB

MD5
3870c234084b0d1836d40ac2b4db21de

SHA1
a36917e9324ec919cfe4512fa8cdb67f30ca15bd

SHA256
0c3adf5596606ac5cfa487dffbbad1cf7a541a31a15fa566fed34c20db088f87

SHA512
2f1d9f206018c011ec2d41e986196a505f2bb93c55462ab990cc24fb5c6256698243f52a561eeb0d669720e25efb37637966e8853fb552404e6ea00b354eacd0

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
67KB

MD5
ec855bad08888a14d95c460ec4ac95f0

SHA1
4213bc19ae5bd712ef1531ee9796dc405ba30d5d

SHA256
df11a1ee566c6a2c8a6314a9aaf1945481d1e0500c93585eb698652b1c09173e

SHA512
1dfff9594c08072315a3e48b4890cb0195c052e5d53a69090e8cf59b94341d9696c39da34ab9365c80a90d01d1058c2195a0aee69fe6211b6eb58f06dcf5d8b4

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
67KB

MD5
981bcabcc61c35ba7c5a480609a1bced

SHA1
6990eb26c7a90cb5e5c8f403344249fc3a76bb66

SHA256
dc59a9e64ae131a864372082062af00e5b3b7145dd18b675f15878a8fdb9bec6

SHA512
3a9cf3bdcf52d157f8085988d7a7ac6de0565ea1ea2019a50e2dc7e6e8328a5694710cedc9394ae7b0350fb423d576fee8472db41e3b0510d2b5c79fa069e92c

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
67KB

MD5
0448ed2c9c471f1e39f14d7a9e39cfce

SHA1
f98a14194260ac6615762ab4ec2bce2d8331eff1

SHA256
7b57387a4ca286a2c593a5966100ebcb3fabf1640c35c06d92e319bb93e8a062

SHA512
a93744508e4c0fc3ff87612a2ff54a878beb5023fadc976f416da579cd3d31f6b8fba235b43a6a5403ace9f5e51ee434f02494af4f2001d7374abdc509a734c5

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
67KB

MD5
35ebd6a9df422d0b9bf6b6a6b0117d15

SHA1
5ccc3d38af18f0a2015eb461a13a9bbdc215f72b

SHA256
a6c453474e5f549e7824842cf8f109b4f7ef6128514bf7237ea64156c0e6b8eb

SHA512
e823fff56cd4c7252198a21d08d0cf2c3d03f127c3d7afa063e689359168e66a14695a6a33447dda337bc58e318a4cf10fc508ab27992fef996a0cbb07fa8997

Download Submit
C:\Windows\SysWOW64\Ogkkfmml.exe

Filesize
67KB

MD5
19aa0f7e216a45fc1ef8a8991116fa33

SHA1
dd08fe766a0b178c76f5d1653a4b8d52399ff79e

SHA256
a600bc8e9df4badf15fe38ef5151fccda981695d34436320effec64fbd1af9db

SHA512
2db952d3f69eda579a3017d09a78231e0a42353e7f92a2b5a4ca56cc399491fb5530f4b0fb909c39458563d691196b283052d717f9e8e7eb53f604f8ed268d1d

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
67KB

MD5
9ddfcc65437e690cadf4096cdd6b7b60

SHA1
74f8308a6787e4ce7fabc371056cfadacf61d202

SHA256
a1c825cf61c8a43b6378dd259dc5d3a94c97985427b3062d3d28162223245274

SHA512
97d92bd4864f9c4cc3e2714c36085bbb63886e4ae2adafe284e7f6b0aede6f74f03cd1dc620c63120bc7eafa422b4e2a0465ca518c77c094f78a4efc33e56996

Download Submit
C:\Windows\SysWOW64\Onbgmg32.exe

Filesize
67KB

MD5
3e6bcffe34a4156ca401aaf0e348977e

SHA1
a0bc0b176749384e916d6384791a735e454bce08

SHA256
e69e3526b17538bb669626aef33850c703d0e7368dfa23b092c7eabb1562ad65

SHA512
01d928f6039229c2a14804b803478c14c596d558218ecb5b061d8fc495561e8fa1a724139876f1079e8812a103d1b931c0607a17d07f02380d5729dd9a4366c7

Download Submit
C:\Windows\SysWOW64\Onpjghhn.exe

Filesize
67KB

MD5
399cc28afa2ec31e798f8ed8fcbe9ce9

SHA1
494d35027d4f3326f928bfaeda18e131bdbe4475

SHA256
ceeddf93b6d532bce443fd70e5a759bb4f393d9668f4f6e06b235fdee8f2e849

SHA512
624168d03a684efab4e66184ce39927c4f84ec2f1dab7131d1e229c19de8c18cf08efb58cd0b9bae6d22678f28a14d5f70d53e6911aeda7f1f3f0ac9e67bea8c

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
67KB

MD5
82b845ccffc4d2e9d7fd4018b145b8c7

SHA1
ab315b390013281e982e98c7636dd51701a0ec2d

SHA256
b8ff851493bb8c050cfc432f4e75644dd997465168e291569b6d1d9a667110b3

SHA512
aece65164190c1766c9b045a5e19b1f0c6ae77be544636f18826da23d9788936c3ff6356d1ed07222a5bbc2676bbd5c152a1eae8288e0824e715d96f54074ea6

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
67KB

MD5
a7ffb63dcd1312d1374fcc58d05cffb8

SHA1
d0b9f5f36700c03e03b12322f6d08967afb8b1ee

SHA256
7ccaf73c8c44a9f70194779d0cdf9f65c0f32fa2114965c591d9fdf9e8f981a3

SHA512
6a36c6310ea97be04ced13cc3648ccdf985e550e7c2c5ad1c043ed1eee7401903502d52a2ebe67d4eb31b1d3c46a1f93fa71fcf2d6604223803f5aa0d976faeb

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
67KB

MD5
a6b18347477afe8ea3991942d4e090fc

SHA1
8a42900ceb268bdd46938d00748c42686ae7028e

SHA256
9b4283d7bb7df0deeb5b1c80a5592a3795cfe88eb9ae9663a28766ea12ac0bb6

SHA512
f4ac34897d28b9aeff6cd5fd832281bb9b480a03c9dfd1d167f96864dc06377853ce3ca76ed05b4f8250f2c1a155cb599f12e418dd2cd15b4c6b5f1df6fb9cf2

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
67KB

MD5
c11a601a000885e582b5d132374e9a3c

SHA1
5f92375f545433b3239c36340b73b7f0090df044

SHA256
617661660ab584b71089604ddf303d8c82a7d15756cf6fe157b46eb134b0bbfe

SHA512
41f8a62a0d89298577522a02996144f7442865d5bb81520d849723b44a9161e2e1c56a640bd1482e956ecd085e79d57122bffc0d604a18cb04354ee67eecb1fd

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
67KB

MD5
24fe765e08aba76cf73c6e9350f8c622

SHA1
66e8efbe0fe7c3d37c2bced761522e9145d25963

SHA256
67a5a4567893feeadd3a5c69738efe9fc78a2e615dee79ac1e9796096997f8ef

SHA512
79bd4f1985e5ad62d3227f1fa93a55bdd7c9709e6488f137ff704ffac9b9f2d11caef0c5e50d0ed83b1187a0045b51f6e831ab895bd79907cfd12ffaba8335bf

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
67KB

MD5
3c13cb6176ad38647dfbdd1ae4da5c64

SHA1
aeb2a31b313e6e8d7e8a17d74770d2442f1f4a01

SHA256
c480630512b8235a4808709e2913907d0a79e03da31ca149f6bd91b3760e5b07

SHA512
6f13ea5d3d14d681aabb1bae8774c6aa3a3421dcc6a0204d4064c90fb558aadf1998bbf27472fcccd6641787580ffe0484b9d3363c466639dbbd9957de0bcc3a

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
67KB

MD5
c76519da1c11a5a3199f9e4b4f7c05f2

SHA1
63752126fdb166de38dd8420adf1c3ebb00971d6

SHA256
56896becd0586a0815f34f8c604406845789693d3a3c4c369cac72020389e218

SHA512
bab8d2db45590df612506971a5963ead74455adae6de642916d72d92712e47ad2e17465f31d9eab0051841a3b805b9282322be3b050e9723b6da5d7697cfbda3

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
67KB

MD5
c85662a40bd571494d2d666f788627ff

SHA1
8f7404b1720b841f9ce8b271ee4113c7b8b71366

SHA256
f1e3b8438533ef6d437a0625d34e391216327afeca4425e61f2c6f7047952979

SHA512
a5cb0684769e2634b689eb1d4832a755250468d6b0eac0736421bdbccd07291e70aad3f3ef46b3a4013643bf300a44b25cf6f197f75f4cab2508d620ea9c1bd8

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
67KB

MD5
d186dc69602916e3eb5950ca859440b8

SHA1
1ce1aa3731e1fdbeb514d1323109c964b262a4c9

SHA256
3bc984ca3cafd109d6254ee82dc5000ddfd316b15303851a68e1b61563b645da

SHA512
82f10f44666db41abcc6d4a4fe20f614bc51f2a2469b0c8b14d805a7732fcf860c10f03fbe4f0d0a05503ac7afd21d93ca17fda6a021791422e77dd74b60b157

Download Submit
\Windows\SysWOW64\Ohendqhd.exe

Filesize
67KB

MD5
5e7bf00a0d10834f7f1ea23b40704703

SHA1
1fcacdbd48548f08ccfef6750ce92b53d6fc4fdc

SHA256
7489c5936b26aa50511b9b4350be042275605d0c1e8c627002e65c99bf5e3710

SHA512
4823acf4e1db0efa77a7c120be6d2cc6f35ebe3ecd095744571a94b6c5b95fd1cb46afee7e0a00c08f2293d2ca5dada77c19e0d3596e64a3bed8121c309a77b1

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
67KB

MD5
93bf52ad6b4c8a091db9cfaea4fcb411

SHA1
e303a4d82f9ad4f8d57862a74ea71a8f63a875a7

SHA256
d769c4223f73e863b22b74b4a69cd550138d4be34c4fb024ce0046ed606f1dd2

SHA512
222ef8679be21a4c5c7dfe090a3bf7650593f3a7107d7c8235e775568b2d54beb5b5fbf6b149bf32dacb0f152675e2ce8fac61f54f5d8971121a4c1bdfe176e8

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
67KB

MD5
0c032700e1b2578f98aa8ab06cecabc7

SHA1
7d3e02d78264e8ab1f86b42eaa6a543a9f829e03

SHA256
88853216397975798d09c11a7837feeaef2c6c15a3da1da5facb380128974a14

SHA512
70550045f14cd8fbf5fa346975f9a0df32d10b706770c5420bd2b3b85cc990c60daab8a6598c84c222fbcdfa01c0f8e67093f9088a47830ae717b036275fa4ef

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
67KB

MD5
e7aff099095a46c8c290c132e4a53147

SHA1
f12aa0fa2e850c5b162c4489ebc83cde0d3bcfed

SHA256
585b297730129e1cec082a918544683fb97fd11757fdac92d225c0ee3dae452b

SHA512
19cfd6d59667c5e5f025478ab2ea03c914acd5c43ab1de03fd21139ab178c1d51bc1c859d5d955bd4777ce7a69709bb49f41bc324a51bc6c709dd5014d70ceb4

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
67KB

MD5
b167e7be762e8afc29d911394417c1a4

SHA1
80c714180099efec151244b50431e8b43b98622d

SHA256
ec09991646e78ec23e8c4f4b1bef7ce4f733a50fed22df45fbf0693cdad69b8d

SHA512
3d56bf481e3458fff20b33aaa1ee03e8743a869aff947d0a8eb2bbea8e644c2d7aeeb50111e08c67f08bd125ffdd188b2af9983216d6156c51472fae1a8d4503

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
67KB

MD5
222a2948562ea0459a99420ebca9a3e6

SHA1
051fa5fe9e365720a28bfe8cc6421e00b7cfa160

SHA256
80a81e986528da31cf0ee02df49bd051085c86d2996770a7a0be0724e723a863

SHA512
ff7ff59c5a233bc61bf618d075241a55ec7917317a67b615b739d70b74412a154b3aceb190509ca94190ac7a9ba0547cab2b124dea8cec034756fd81471cc692

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
67KB

MD5
621693ef5ba1694900504e1ce9511834

SHA1
d2ab26c8c0a16f621f50525dcae319e332321830

SHA256
f0a0f8c1f02319add6ae1635b0f84acac9a3dff596bc4c969f76148849318336

SHA512
b70e08668ccb04bb42ead231b1ae383cfeab2769674643e02272402f2e607e7f42e88e11a87bfcd421dba8ab6845ded275d3d6daaba9e9e02ca9975b5a944923

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
67KB

MD5
0beb313e3a24796ef4517d1157c21b33

SHA1
80c053b0342ed2ab17be6fc8edb50e2542a468a2

SHA256
28c93fe29db4fd0622c38ca192f682d3b8fbcbf5184cfb9f37c4896a8aac2eaf

SHA512
fd6e8cda8ff7e5d6184983f443bf3a6639781e3f0401a96f62df0625b99adb1d6d97e76c0571ddb5a58b66c7c4b5338757e9622401d0f8f79cf0dd10a00f88c5

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
67KB

MD5
3eb68de7bcd1a32d0b7d9a0403541854

SHA1
8609da7cba6bc4e5e7fb3a09ce77fcb90569a720

SHA256
6ad40e948e2d343896899aaeaa8b959856bfa552b90c8ecca20ba199e3ad0fa8

SHA512
fdfbb73579b759b8fe38f270b542365a74cb6c1942c8653b5a3e39f5a1c3522a5c847fc5576f50fc68d32aad9ffed69b6022d316ac04d0d6cea3b768d4bce09f

Download Submit
memory/592-74-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/592-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/592-132-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/592-82-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/612-279-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/612-239-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/612-278-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/612-226-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/612-240-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/612-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-301-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1200-336-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1200-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1244-386-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1244-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1480-380-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1584-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1584-318-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1584-324-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1584-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-165-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2108-116-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2108-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-166-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2108-115-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2112-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2112-348-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2112-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2124-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2124-219-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2124-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-92-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2236-39-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2236-34-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2264-195-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2264-189-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2264-242-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2264-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2264-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-366-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2328-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-396-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2332-288-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2332-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2332-323-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2364-261-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2364-267-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2364-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2392-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2392-254-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/2392-290-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/2392-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2556-255-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2556-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-130-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2572-118-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-187-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2572-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2596-25-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-41-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-99-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2708-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-62-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2708-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-343-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2764-337-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2804-370-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2804-365-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2804-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2804-334-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2840-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-24-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2840-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-308-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-273-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2916-101-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2916-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-150-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2916-93-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2916-84-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2940-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-387-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/3016-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-210-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3016-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-161-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3016-163-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/3028-194-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3028-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads