berbew | aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5

Analysis

max time kernel
116s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 20:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
Size

512KB
MD5

ca4f6b973fbb2dc36d38131c197cd160
SHA1

9c1cd834a13477bea9e0c4d29b10bbf8132423a5
SHA256

aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5
SHA512

8bc04498ede9c2594e78faa7b9df60dc85adbdecfecc440982816b8795e1fc4ccd8e09a04c76d00d93e1debd8506de0aa06b9d7efea1425ed1eb23fbfcc9caa7
SSDEEP

6144:UnbHJcAIOqe6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5f7wj7vKn:Unb1LkY660fIaDZkY660f8jTK/Xhdz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lonpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neknki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqnifg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opqoge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcecbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiffkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqoge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfokinhf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obmnna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pepcelel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lonpma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lldmleam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohccp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcecbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqnifg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldpbpgoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obmnna32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2776	Kcecbq32.exe
288	Kffldlne.exe
2180	Lonpma32.exe
2708	Lldmleam.exe
2848	Ldpbpgoh.exe
1792	Lohccp32.exe
2496	Lhpglecl.exe
2744	Mqnifg32.exe
2272	Mfjann32.exe
2268	Mqpflg32.exe
2244	Mfokinhf.exe
1556	Nlnpgd32.exe
1356	Nefdpjkl.exe
1040	Neknki32.exe
3024	Nlefhcnc.exe
640	Oippjl32.exe
3032	Oibmpl32.exe
924	Olpilg32.exe
1464	Offmipej.exe
300	Obmnna32.exe
2980	Oiffkkbk.exe
2128	Olebgfao.exe
888	Opqoge32.exe
2132	Pbagipfi.exe
2568	Pepcelel.exe
996	Pmkhjncg.exe
540	Pebpkk32.exe
2372	Pplaki32.exe
2712	Phcilf32.exe
2592	Pdjjag32.exe
2508	Pcljmdmj.exe
2536	Qdlggg32.exe
2940	Qgjccb32.exe
2460	Qlgkki32.exe
1400	Qgmpibam.exe
2384	Accqnc32.exe
1716	Agolnbok.exe
1936	Acfmcc32.exe
1588	Afdiondb.exe
2336	Aakjdo32.exe
408	Adifpk32.exe
1640	Ahebaiac.exe
1944	Anbkipok.exe
2196	Agjobffl.exe
708	Akfkbd32.exe
1888	Andgop32.exe
1776	Adnpkjde.exe
1504	Bgllgedi.exe
2976	Bnfddp32.exe
1712	Bdqlajbb.exe
2596	Bgoime32.exe
2768	Bkjdndjo.exe
2828	Bmlael32.exe
2660	Bgaebe32.exe
2932	Bjpaop32.exe
2944	Bmnnkl32.exe
1996	Bchfhfeh.exe
2280	Bieopm32.exe
1496	Bqlfaj32.exe
2296	Bcjcme32.exe
2920	Bjdkjpkb.exe
3056	Bmbgfkje.exe
2728	Coacbfii.exe
632	Cbppnbhm.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
2776	Kcecbq32.exe
2776	Kcecbq32.exe
288	Kffldlne.exe
288	Kffldlne.exe
2180	Lonpma32.exe
2180	Lonpma32.exe
2708	Lldmleam.exe
2708	Lldmleam.exe
2848	Ldpbpgoh.exe
2848	Ldpbpgoh.exe
1792	Lohccp32.exe
1792	Lohccp32.exe
2496	Lhpglecl.exe
2496	Lhpglecl.exe
2744	Mqnifg32.exe
2744	Mqnifg32.exe
2272	Mfjann32.exe
2272	Mfjann32.exe
2268	Mqpflg32.exe
2268	Mqpflg32.exe
2244	Mfokinhf.exe
2244	Mfokinhf.exe
1556	Nlnpgd32.exe
1556	Nlnpgd32.exe
1356	Nefdpjkl.exe
1356	Nefdpjkl.exe
1040	Neknki32.exe
1040	Neknki32.exe
3024	Nlefhcnc.exe
3024	Nlefhcnc.exe
640	Oippjl32.exe
640	Oippjl32.exe
3032	Oibmpl32.exe
3032	Oibmpl32.exe
924	Olpilg32.exe
924	Olpilg32.exe
1464	Offmipej.exe
1464	Offmipej.exe
300	Obmnna32.exe
300	Obmnna32.exe
2980	Oiffkkbk.exe
2980	Oiffkkbk.exe
2128	Olebgfao.exe
2128	Olebgfao.exe
888	Opqoge32.exe
888	Opqoge32.exe
2132	Pbagipfi.exe
2132	Pbagipfi.exe
2568	Pepcelel.exe
2568	Pepcelel.exe
996	Pmkhjncg.exe
996	Pmkhjncg.exe
540	Pebpkk32.exe
540	Pebpkk32.exe
2372	Pplaki32.exe
2372	Pplaki32.exe
2712	Phcilf32.exe
2712	Phcilf32.exe
2592	Pdjjag32.exe
2592	Pdjjag32.exe
2508	Pcljmdmj.exe
2508	Pcljmdmj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lldmleam.exe	Lonpma32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Nbklpemb.dll	Oiffkkbk.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pghaaidm.dll	Oibmpl32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qgjccb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Jefdckem.dll	Lldmleam.exe
File created	C:\Windows\SysWOW64\Lhpglecl.exe	Lohccp32.exe
File created	C:\Windows\SysWOW64\Nlefhcnc.exe	Neknki32.exe
File opened for modification	C:\Windows\SysWOW64\Nlefhcnc.exe	Neknki32.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Qgjccb32.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Kcecbq32.exe	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
File created	C:\Windows\SysWOW64\Kjfkcopd.dll	Opqoge32.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Odldga32.dll	Nefdpjkl.exe
File created	C:\Windows\SysWOW64\Olpilg32.exe	Oibmpl32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Nlnpgd32.exe	Mfokinhf.exe
File created	C:\Windows\SysWOW64\Oiffkkbk.exe	Obmnna32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Lldmleam.exe	Lonpma32.exe
File opened for modification	C:\Windows\SysWOW64\Oibmpl32.exe	Oippjl32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Mqpflg32.exe	Mfjann32.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Lonpma32.exe	Kffldlne.exe
File created	C:\Windows\SysWOW64\Kmdlca32.dll	Olpilg32.exe
File opened for modification	C:\Windows\SysWOW64\Pepcelel.exe	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Dkodahqi.dll	Olebgfao.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Gbfkdo32.dll	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pcljmdmj.exe
File opened for modification	C:\Windows\SysWOW64\Ldpbpgoh.exe	Lldmleam.exe
File created	C:\Windows\SysWOW64\Mqnifg32.exe	Lhpglecl.exe
File created	C:\Windows\SysWOW64\Agolnbok.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Offmipej.exe	Olpilg32.exe
File created	C:\Windows\SysWOW64\Opqoge32.exe	Olebgfao.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Phcilf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	2548	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldpbpgoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfokinhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obmnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olpilg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcecbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpglecl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfjann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqpflg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olebgfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffldlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdpjkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefhcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lldmleam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnifg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibmpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfokinhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldpbpgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll"	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqnifg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll"	Mqpflg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kffldlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll"	Lohccp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nefdpjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklpemb.dll"	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baepmlkg.dll"	Oippjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll"	Mqnifg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Offmipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neknki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnajpcii.dll"	Ldpbpgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnfddp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2776	2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe	31
PID 2236 wrote to memory of 2776	2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe	31
PID 2236 wrote to memory of 2776	2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe	31
PID 2236 wrote to memory of 2776	2236	aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe	31
PID 2776 wrote to memory of 288	2776	Kcecbq32.exe	32
PID 2776 wrote to memory of 288	2776	Kcecbq32.exe	32
PID 2776 wrote to memory of 288	2776	Kcecbq32.exe	32
PID 2776 wrote to memory of 288	2776	Kcecbq32.exe	32
PID 288 wrote to memory of 2180	288	Kffldlne.exe	33
PID 288 wrote to memory of 2180	288	Kffldlne.exe	33
PID 288 wrote to memory of 2180	288	Kffldlne.exe	33
PID 288 wrote to memory of 2180	288	Kffldlne.exe	33
PID 2180 wrote to memory of 2708	2180	Lonpma32.exe	34
PID 2180 wrote to memory of 2708	2180	Lonpma32.exe	34
PID 2180 wrote to memory of 2708	2180	Lonpma32.exe	34
PID 2180 wrote to memory of 2708	2180	Lonpma32.exe	34
PID 2708 wrote to memory of 2848	2708	Lldmleam.exe	35
PID 2708 wrote to memory of 2848	2708	Lldmleam.exe	35
PID 2708 wrote to memory of 2848	2708	Lldmleam.exe	35
PID 2708 wrote to memory of 2848	2708	Lldmleam.exe	35
PID 2848 wrote to memory of 1792	2848	Ldpbpgoh.exe	36
PID 2848 wrote to memory of 1792	2848	Ldpbpgoh.exe	36
PID 2848 wrote to memory of 1792	2848	Ldpbpgoh.exe	36
PID 2848 wrote to memory of 1792	2848	Ldpbpgoh.exe	36
PID 1792 wrote to memory of 2496	1792	Lohccp32.exe	37
PID 1792 wrote to memory of 2496	1792	Lohccp32.exe	37
PID 1792 wrote to memory of 2496	1792	Lohccp32.exe	37
PID 1792 wrote to memory of 2496	1792	Lohccp32.exe	37
PID 2496 wrote to memory of 2744	2496	Lhpglecl.exe	38
PID 2496 wrote to memory of 2744	2496	Lhpglecl.exe	38
PID 2496 wrote to memory of 2744	2496	Lhpglecl.exe	38
PID 2496 wrote to memory of 2744	2496	Lhpglecl.exe	38
PID 2744 wrote to memory of 2272	2744	Mqnifg32.exe	39
PID 2744 wrote to memory of 2272	2744	Mqnifg32.exe	39
PID 2744 wrote to memory of 2272	2744	Mqnifg32.exe	39
PID 2744 wrote to memory of 2272	2744	Mqnifg32.exe	39
PID 2272 wrote to memory of 2268	2272	Mfjann32.exe	40
PID 2272 wrote to memory of 2268	2272	Mfjann32.exe	40
PID 2272 wrote to memory of 2268	2272	Mfjann32.exe	40
PID 2272 wrote to memory of 2268	2272	Mfjann32.exe	40
PID 2268 wrote to memory of 2244	2268	Mqpflg32.exe	41
PID 2268 wrote to memory of 2244	2268	Mqpflg32.exe	41
PID 2268 wrote to memory of 2244	2268	Mqpflg32.exe	41
PID 2268 wrote to memory of 2244	2268	Mqpflg32.exe	41
PID 2244 wrote to memory of 1556	2244	Mfokinhf.exe	42
PID 2244 wrote to memory of 1556	2244	Mfokinhf.exe	42
PID 2244 wrote to memory of 1556	2244	Mfokinhf.exe	42
PID 2244 wrote to memory of 1556	2244	Mfokinhf.exe	42
PID 1556 wrote to memory of 1356	1556	Nlnpgd32.exe	43
PID 1556 wrote to memory of 1356	1556	Nlnpgd32.exe	43
PID 1556 wrote to memory of 1356	1556	Nlnpgd32.exe	43
PID 1556 wrote to memory of 1356	1556	Nlnpgd32.exe	43
PID 1356 wrote to memory of 1040	1356	Nefdpjkl.exe	44
PID 1356 wrote to memory of 1040	1356	Nefdpjkl.exe	44
PID 1356 wrote to memory of 1040	1356	Nefdpjkl.exe	44
PID 1356 wrote to memory of 1040	1356	Nefdpjkl.exe	44
PID 1040 wrote to memory of 3024	1040	Neknki32.exe	45
PID 1040 wrote to memory of 3024	1040	Neknki32.exe	45
PID 1040 wrote to memory of 3024	1040	Neknki32.exe	45
PID 1040 wrote to memory of 3024	1040	Neknki32.exe	45
PID 3024 wrote to memory of 640	3024	Nlefhcnc.exe	46
PID 3024 wrote to memory of 640	3024	Nlefhcnc.exe	46
PID 3024 wrote to memory of 640	3024	Nlefhcnc.exe	46
PID 3024 wrote to memory of 640	3024	Nlefhcnc.exe	46

C:\Users\Admin\AppData\Local\Temp\aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe
"C:\Users\Admin\AppData\Local\Temp\aa5d69983366efc1fe8d01ea1172908ee2c046508d67fb4ceadb6f772e1604a5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Kcecbq32.exe
  C:\Windows\system32\Kcecbq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Kffldlne.exe
    C:\Windows\system32\Kffldlne.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Windows\SysWOW64\Lonpma32.exe
      C:\Windows\system32\Lonpma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\Lldmleam.exe
        
        C:\Windows\system32\Lldmleam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Ldpbpgoh.exe
        
        C:\Windows\system32\Ldpbpgoh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Lohccp32.exe
        
        C:\Windows\system32\Lohccp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Lhpglecl.exe
        
        C:\Windows\system32\Lhpglecl.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mqnifg32.exe
        
        C:\Windows\system32\Mqnifg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Mfjann32.exe
        
        C:\Windows\system32\Mfjann32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Mqpflg32.exe
        
        C:\Windows\system32\Mqpflg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mfokinhf.exe
        
        C:\Windows\system32\Mfokinhf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Nlnpgd32.exe
        
        C:\Windows\system32\Nlnpgd32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Nefdpjkl.exe
        
        C:\Windows\system32\Nefdpjkl.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Neknki32.exe
        
        C:\Windows\system32\Neknki32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Nlefhcnc.exe
        
        C:\Windows\system32\Nlefhcnc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Oippjl32.exe
        
        C:\Windows\system32\Oippjl32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Oibmpl32.exe
        
        C:\Windows\system32\Oibmpl32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Olpilg32.exe
        
        C:\Windows\system32\Olpilg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Obmnna32.exe
        
        C:\Windows\system32\Obmnna32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Windows\SysWOW64\Oiffkkbk.exe
        
        C:\Windows\system32\Oiffkkbk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Olebgfao.exe
        
        C:\Windows\system32\Olebgfao.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Opqoge32.exe
        
        C:\Windows\system32\Opqoge32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Pepcelel.exe
        
        C:\Windows\system32\Pepcelel.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2568
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 144
        79⤵
        Program crash
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
512KB

MD5
debb77576ea6bb2e24e8f23ba2b2225c

SHA1
3a1741701ad851911797ae74aeec9bbdd4942f02

SHA256
2c12d8c1aea8e2320600eb6701ee2dcad8e322833405b66adbdb7d07a04a7fc5

SHA512
66319d26b512530256013f204e4077b15938914c4593a91528d6705ed1b33a2fb4ea97387d0ba4c1325a99e1d740bbb86ec16a19c115c440aed8be70970725f7

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
512KB

MD5
5d21a8015a02b3deaa8657aba0150801

SHA1
0061482569d6e3d6f8b2dae868391a1c1b486260

SHA256
f2e25e1e0da74fe380586a974e8801a1ae07cd99656907f6f2facae5304ff218

SHA512
91ce2868a3cb1642c5bb6534a5a2c2c5630de2108ec2ef8eef322dfaecc6e94b6d4539b260c35a0960602bbedf1cacb95a2d80e99a3f8aac289ca824e1ca9b19

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
512KB

MD5
3f6e8f2f03c07ac8e737a8d8ad169e45

SHA1
078ebf838edcfaef1b67a4bc0b5f569f6b374c98

SHA256
07d555ca559f63d3e3f4ad88769b1404179bdea24873ab0d3d435fe9271b4490

SHA512
9b245950a395bc6a4faaba7a325389c060eff171b00011f678b539be927f44aaf8aa8e2c6b10983d061e7405a70275a68a8b15c4213b68e327881db5f86751c0

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
512KB

MD5
9337f5b1c480232583acecf368a493c6

SHA1
4dd3ec461490493885b39a4378974a7e9f1b5141

SHA256
61088617cb81807989160504ba68dc6492a0fd09f7b49f416eafa68fdca15b2d

SHA512
9757e3d4f418d92b92cff259575130954942e1bd25e228e08c0009d390719a739b001c9313d380e2022e47744740407841c4d49688062fdde2f1fb9e213de9ae

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
512KB

MD5
1369149a5124237e196fc7e5a112e677

SHA1
ae745c0e90cbf7ab8484f675f6f8254dc7e302b6

SHA256
500ab04014e52ff0c6f4d53de9c87448d00e8f25ef21a4a2bdfec2e6ecf3562b

SHA512
0e20412a273de4512068ba721e135c5591d609b8273b94331a521b7e7331335910829b42090e8df5120648e8b8e0f3242e403c9534094d52edee635212781dca

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
512KB

MD5
39d61a1ff1fdcde2890ff1c91d0d6142

SHA1
0a6f353e425756d2cee08892bd026c9c601c5ecc

SHA256
0ded24898d79c89f43105e3cf3e86a9e9aecec77eb2d6a39245cf6fc175d9f3b

SHA512
4f193f706ba9e95e12afe72bb3ae14a3a8cd24635ea152efd9d545d2d712487b5a43c0a0829ff5674c1273e2c7fcf8ada9d243cbf58e28e081714baae4d27715

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
512KB

MD5
41b73a9c7b3faecdaf48fc0ba578a5d8

SHA1
3c9e991a6d327b095f672fedfe16653f14845131

SHA256
0f34d679a82b3c4490996e6abbc32b1241ba4a172125ef9f145a1faf0a993bf7

SHA512
37ca26ac0e6a54b1936dc88d04192d3a0af3c761374e2b7f515d11253f9a1e69fdc2f22f671893ad99b5d171ee15e0f0f088ef42f98585139c64da185b13fca2

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
512KB

MD5
e91b57ad68adb08ea7feb0d06e415619

SHA1
1d8a4d764420a81fef89d4d0b69f33e69d7b182b

SHA256
c1f68fa62b15a537dcf5044fa92603ba15157cb9a2a8d2076b70c259f39e52db

SHA512
ee77bd297f92f471505c84600c9fd36ea7b35fa5fa972ac53adedd1d91df1ee2272e45661615fb33b155085d08d15bf341fa1993af7be96bf5d769711bb25cf7

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
512KB

MD5
d01b0b8f524f14d1c5ab968aa3ecf032

SHA1
37e95f1b286d829b4614e75bf405b8687f7b0dd4

SHA256
a10e866e6f43cd3c4142c9536486aa4ac80b023a45ea6d1a79a2fa0d14582b75

SHA512
2e03b236a46e19d1836e31b9a10460c55d6bd3c0f5d4d118f540eb752c3c90547be43dc98fdb9c6d7cfc02758c99c9564c816582175f4e4dec08314a56ecf488

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
512KB

MD5
b31a0c6a8f7c9ecb8d55cae589f3296f

SHA1
cc73cff514d4bceb5ce02cf9996779c25ddf59db

SHA256
4e7d465bd021339ec9796d65510800a2550d4ec09a1056d51ea933944b63f9e3

SHA512
dddeb4feed26fa66ccb30876048cee5a85c252e4010f427fbe8a4667fdbc0c2390f6a36e8ecb7c0312a44223cd9993310dee475c3bd418dba66b18279aa9f0c6

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
512KB

MD5
6b79926e63181621df4c90b7ab5591e3

SHA1
e7bd6c93ba2a321ce516df671a31a8e1bcc10e3d

SHA256
9cdcf52b4205114e4500a0aeaad25c357b2f6b89d26bcb5bbfd6eefae48e840d

SHA512
75ff5f5b00761bfcc9b3047fbea1c1d5e8768f78060d7361790e44ae77484da78c7643d47fadb3f978c28d9072b78aa6e1fc07a0437a9bf849d4accfc967a413

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
512KB

MD5
e4c0d4bccf4189eb24c2b10c24b5fa62

SHA1
754e028de1bd1a860933159a9197583b8309b87b

SHA256
43eeb10e6d2f881d6679a42b355a2d2b92817f332343d92ac8acc07f1cb907ba

SHA512
ed9f817ff46a9593a06588bf9ab83a50e8c367d6204c8b62b487aa3250ccfc85cb749241ce36171b1d77fe2c0f725ba277c2c8caa919fe81780f68ff69301316

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
512KB

MD5
545b2ed53b9cdb0773755dc178b096e9

SHA1
c6a62d85c9e0cac3f435f13848810d84bb891e8b

SHA256
ba2ea73cedbac50935b5b269ec84001483859350c167a513d6af595a67b8c113

SHA512
1f40a55c7cf162cd13090188822d1e6f73e47f093964c6864ec92f2ff5ba94b8f6b2250e20f14755803fab697cafc9f40a2fbf02eece38ed83472cbc99bcf8af

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
512KB

MD5
8a472aa7d621ba2b1fc8e08d758035cc

SHA1
0baf9cf33b43507ed6d957d3c303ae53e7b420a7

SHA256
4b76ce6ff3161988934fc8e29ffbb19223c788525536ec0e2ff8006f18fdf777

SHA512
0ae08dba1b8d307b35d08a4ee162b4f0c5c748791e094c22a3b17c8afc4da5a24a7bb00ddacb56355da61f873672c5575ad93c5fbf60a628c7e6173ec20eaaea

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
512KB

MD5
eaea9a518de2105e69599a9b07b9b250

SHA1
bad7abfd4a8dbc894177705f8816e9825dc16b9a

SHA256
17aa0727b6f4dd60fe44f39c7ca01158aeb514496d7ca5ab2aa95d94381b9e0e

SHA512
f4ed5bf270b2e195bc21bcc633fd39ce4e70b9bb9f05cd70016069a1f6029b80af2b2cc890fcba7e2409fcc8a60a26109a367656d9b9e319dcfde50bf2462137

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
512KB

MD5
152f3b2f75b22f82928814823cbd02d4

SHA1
0721a11152c2edc704c4fbd9ef5fed84716a5a87

SHA256
ac7307d31ab666a36e93a8b40782779e0d633189531b535194f16fdc371abc0c

SHA512
4b08913004e67d5f1a8dd809b6664c282b4ffcb08c260c863d9d40841e1c38430f525170191b27d5ef862071b0a1dc7984672fee10691e92978426bf55c90874

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
512KB

MD5
0ab917a6c6d109a8238f65b9dfb5e598

SHA1
ba0cc926cd479ef36aed5357a90c13eeafe32363

SHA256
9d0fe176e6582073d23b05620e2f7b498024feb076a00c49b059af74d8e5a1d7

SHA512
1284ee93f5f68570eb7a508d291503fb47799727f23f9ea3b5ea12618b0d313095f57b704d1c2f0cc7a6a968dc3163e91c1b071a46b0036f94adbb20fc1ed3ff

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
512KB

MD5
ff933f92b141d7579c4da3cd9082f7cb

SHA1
81b32d891901f7ede3e6b99319c3ba3a06481d75

SHA256
48533261c0dd4efd815d3b54855053e01e4626031f62e3962097e567108bc10e

SHA512
77dd2a2b0f8f0b6bc91c59dfbd7727f9c26a2b30788ec93dcf7237cf96de5d263c9bf42db9cbc2e0468e006c7fab97a8c67ba0c81360adb25f989d8eef3df559

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
512KB

MD5
9bbfcb735dbaf92f37bfbc2a81845966

SHA1
94d8bf62918e798719a05ab8d8218619cf8f72f2

SHA256
c5fd6b263dc2ef2af562d933c503b83e5e9d837f55ead161dc1520d5f5a60658

SHA512
6fdd5e4efc1391b3cff59e1c43988ff95a631b8618474273d55e82bd247bf71945d82b20ffe15c3d066d8684a1325132949a953ca363680d62dc88077fb492bc

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
512KB

MD5
da198be2ab07c5266417ef82be72c8ac

SHA1
06be16d2b4765b78b2effac410f005650dca78cc

SHA256
d4598c8a5499d88f8e7cff7b40e7d28a73ddc0db25301b5be6c82d159f5ed49d

SHA512
6158e4900d9ad39813a8fb6c0254355d3c3635a5996ba33e1f59a8db7eab484e284933c11d7a9c6238d5786e37d1c2a596771cb64c2693ef62d536498b6028ee

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
512KB

MD5
4bdbb07df0faeeef12d1a3c40433b85c

SHA1
92042a69b2e04eb5d448c11291fdf509faf16178

SHA256
db861bc7380d216bb2047eeab8ad479878aba5b1edf046f1721923e045585362

SHA512
f993d87d57c4d5fe632b307b99919a1a8db74341b1eee417a2a8872a0ab877d4f4888a5ffa2dd7d97948c08eeaa7f01f4733ea4e665f9bcb556a8293f0cfe2bd

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
512KB

MD5
3f78b012046a0688c774a1a464131a55

SHA1
fe307a1ae45f3c5aa5794f36a0ad7c5e68e7c57c

SHA256
f61d00d92be7dc43fb650baeb15bea52fe93cae2dccf02a1af466d959b7d7c96

SHA512
93a0f00252b4f52b5e89bd49674a072754630027a1081043eb54a2dffad7c3183d69a48cc1ef01544fe25f248acf9f93b298bbccf6926827c6f957190566708b

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
512KB

MD5
c3ab6de7d3bc52cff88978cf5d3fef3f

SHA1
6f7f5e0446a165e4265436e46c0b5f68776c967f

SHA256
b3073af232860e49d8fb97b343cdef2a521b6c2df13ab0c929ba453d047ef50b

SHA512
e3ebe54b3b55ed98ebe9dcd3928b569278c55c78eb4eb0d63b5e00468284ab26d0ab37178e7f52b6d8cd6a9a1f21e20a9d5409f2a95825caeff07098a5ce43ca

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
512KB

MD5
242ac642c4af6b1d76202637b6578869

SHA1
49d023973a7aaa7e2e2012714221f793966cd4bf

SHA256
ac1ec2246c06082c39797b066127fc06a4a2b3c9c82d546b0eabdda66f78ae5e

SHA512
073addc3390469cc5c57a71317b864148be98fae34034a0d177b4a5374874d3571b5c6d941ede5acfea60f823cc940961ab5477f96a9caf6181dc81993d0e8ea

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
512KB

MD5
899beb9b6791859ce55355edb00fd034

SHA1
6e37c713039e8a99a1e487e57738f2fceb5cf7e3

SHA256
bbe0be00f6282399003221085eedf89f944041238e3b12946609e8a7b4d5df8d

SHA512
2caa662c05a3cfe0a2154c4d51884286619f41fd3da224c68c1fee711b04131e150551efe0cb10299cfa3f569b51ff9b059eb31757d6907729989e50657f7047

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
512KB

MD5
999aeb7bd50eaddf9028af544526b743

SHA1
bb900fe4a0fd9c45f35f391280ff395cdb58a320

SHA256
892fa76dafbcd7f75aeb5720e7a7486ff374f8a68a2f058f3a05672d525cf9e8

SHA512
374fc3b8fc5e068bdf84ff06083e45372c504aa0fded40ee58226aa623737214521f7fc9b8452f7588f2c40470e14274d7a52b52ddcaf59ed4b80712f9df4421

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
512KB

MD5
845925b99b4adc1fa34b90f08f8458af

SHA1
9e9db89e0c0405841cb980d97dee21c17f2178ff

SHA256
e8e1b4973992a03b60f9d12e1a56493f8bc172c2fc20a0ecfc4a15729f8be9da

SHA512
f0a8776cec1e7f77154f25bc436108011c3340ca1f6ecd27999376c6a523b60154cb25c775ac058f72a5a183489bb01619e482dd5d4d49dcabe109442cc31448

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
512KB

MD5
0993370fabf58077d35bbcd40e2eb1fa

SHA1
6a33a1e36d657756caf7dc7cc1c11ca35ed577c6

SHA256
bc9496c6e9690c79cb023a07fa035259c4e53840691937ad228033b61d24be0c

SHA512
9a0c21eebbd4cec987bf4f8ffc7187ba4b52500e74ff1d01155be3a201bb73c8e7b4582802e12ae62b0d0dd36d386cb4a7b3ed4f5757a38a909a9fc14fcd21a4

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
512KB

MD5
634ffbf5284087cae774c966ba7172f2

SHA1
33d1b4cf404e255d1e8ed4cf6f6023da7611b1b0

SHA256
3f971c81860e23faada2d8dccc174e6a99dfacd89917004089a48dc8aaa90405

SHA512
a1fcfe028dabfb9574edb9e0dc43d941284869670fb222929084e53e11c4c1f501a93ab01568adaa5ecc2850bbfb0061f5d8751da64c48736c4511a1fa7e255d

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
512KB

MD5
88587e39ec6dfcbfc296464f81acfcd9

SHA1
952a83d2e74591805b695eae7af72e3594087a6f

SHA256
ad434731ffc310f56a3123abf085e68b7b8f5aafc7d88ed381ddd9a7d0e5ba97

SHA512
bc2ced76f0d8f0918e0c3913d6b16082f824e2a18fb57243211953f733a66309d9dbd066362996a0283e6f43d90b528e92f85c86f2961d148fef85af08995f14

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
512KB

MD5
cf4df35dc1f0c46fc8e5f9ea37b2e4c4

SHA1
7fce942f5040d55fce94d021c951ddc37ec98069

SHA256
2e86ba0b34eb1abdd1653c8e3ca9e45091d964bcd8e3dbc17907ccca191960f7

SHA512
e55977b3a48dd2c62cf083157316e28787eef2dae27cdaa2abca88f9ff00553552cb55f2c40ab9d6ca5c142a13d41d78804d05a0a5464ac949e4e09b0658ab68

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
512KB

MD5
d2ae6517856211dade84636ece19d00e

SHA1
dda93c7e5190eb3307635158e9d0e9d1aeed56fd

SHA256
6a6d940546b6ec785e51c575013899e38dbef6e71f371a715be6b75aa914438f

SHA512
a3ca14f38a525a5542be0943f7401774da22ca7375de2fdce568c5371c01538952b27ec98282d9c2f700b618c7c49b10af973364fa45e4de549b3e149a571ae9

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
512KB

MD5
0586d8ebf6e672e4f6932e2c5d575afc

SHA1
5144bf30910bd3a801226e1afe3d67f5e7873b4d

SHA256
b2bdf6947b7877107ed8368169d26e4684aab486aaf330523223bee8d6e62eb8

SHA512
d8530284c4a35befb750b266933046d948bafcfdbc839d8219311b3d372a54119ac83be325f001d214642017efba5fdd0bae3265c71fca199e0a990d51a7a0ce

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
512KB

MD5
dc953bc8801a6f056015f4d47991ea99

SHA1
351b9362e2126e2fed98031c7d9d96ba7a468847

SHA256
32b57fe2f73f4563ce02e6ce216087b2a76152192ec112ab4d8282e7e29c9c45

SHA512
cf5bcd2594e3d5a7f2cfe9576a56741ea0fd6d1fde5c27c8fa0506c0cacd2544147cc736fb8a9aab28a9db978d93f01f365b699238b5a7fc71eba562733595ab

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
512KB

MD5
c88aaffe81ffe9c8e8ccfa292036465c

SHA1
2f8a81ff453ea387309ee4475dfdc4a2ac6ed6d2

SHA256
1711622325259da3c9c23f4aef3b25f3ae7ec6da1f75dceccc6dfc02a4a30953

SHA512
380d089c5c57fe1270021a52a147f8b5077bad469ee9ec3a3a13c1631742e4fde0dda0e5a7800da7061fa3c6a08b35d4968cbfb82e34d6b3d5ce0bf6b7fc8f26

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
512KB

MD5
c41760146f813521cb50be1a27cba367

SHA1
2ab8e511c0589eba846973550ca59e903334069c

SHA256
eecd3d252ed4f26dcd7aa2d6391845bb93a48a0723130fdae556af2140351637

SHA512
dd548ca2434ec79beef469fa441441592d830fda932d2d88d9b7fd4f322b546e1a28a9426df27fea649e15cc4d48fde99446a74e106b910114c62f1326340d26

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
512KB

MD5
197b0f8d5bf91fb965c261107975da29

SHA1
8e3fb1beb3f7ee13620cd8c54f9ad7c460e206cf

SHA256
a077c6bfdd0d628a1c08f7a762cd5589565b8c46702259f9b171e0a779ea71f3

SHA512
c32ec81cda8db7fdd02af2bc820553a3fc3d72931c4c4111d3e2722c76eaa5e730875682c7836334c414e5d7138ae73615024e51bae00f70049b0d0f4fbb0060

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
512KB

MD5
57910c14723fddfede140c7659d1a7e9

SHA1
df7714689dbccd45154aae349b8d8fd050569b13

SHA256
71e6b03547854995f035b56243f225629df1ebe41dcf520119b82453e5653705

SHA512
ca4a49b71cbf143a1c773be3db117490f4a4313ebe03a173f724891eb33e80d917d5458d6a36c1dde77e63e33dc1c00f3b54eab71dc621d39032badff67eee44

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
512KB

MD5
860a350fbda2fb547e2c20d92bfbed19

SHA1
388e3ed00468ad4727a6c3dede61f1edc9b8ee5f

SHA256
453c54cc0945996265efcd0f7201b429650ff5fb866aaba72fd434657243f2bf

SHA512
21ade2fc366e634a92521bc0e2c212f501d0ff6badfff6a5b052e63d129542671c8a43b319cbf2a4a957bafcbaa4aa6c72c130fad7db932bc8b8b6d3c3e60241

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
512KB

MD5
f5ffa20c67cdcf58b44b2e6f6d0fe630

SHA1
2531125fb049ecbb0c575d3ea5a3f9916ec710eb

SHA256
e1258637025ded52ee040b58fcece49906f489d63f004c0e4c29ab7434af39f4

SHA512
5a76c95dd362fde7bd704dab0eadb98e40f1323404057f1a5752034169f116b50da49d98d74161180adee566ab65ef713d72f7fe2099ea74a6ebf1e69cc8af05

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
512KB

MD5
22a50d82e38f8ca4701bdc3d6b14cc01

SHA1
fdacbda68f5faedf615228b987fb2713f55dc153

SHA256
cddfe7cc9812bad7f2fe0d83e67682c867d295963804f7437b033421d3988871

SHA512
3b95fc0e68449d0d3758fe1caf43de19a86c48b533e75581b9cf8bcf4cecef8464cee1025f32d03d388c039f79add94704c4b60ea6800ab5ba455bab7b8fa303

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
512KB

MD5
437a427455f5a84e776888c7863ee884

SHA1
e56330f58842afe3a37b9b36415b85a8d6ed4afd

SHA256
68b8167853b0003d3bca6fea057361d03128a2c4899583bdb660dad95be4cedc

SHA512
28f3898c3b2ffee02ccb7146980fe43f6ab8813e4acaca4c018b3c96416a14db0a416e98dfb3f8e50a037957e849b79cf32b11a5fcd2b5915af8aceed1089765

Download Submit
C:\Windows\SysWOW64\Jefdckem.dll

Filesize
7KB

MD5
6978980f66ab78beb777f394cdcdeb6c

SHA1
5b443cfa3c6ad24339bfaffbf08be21f737745a2

SHA256
ff4c2e6085597592ddabeabafbf4e4331a5ec1050bf216ae3e62df2f246547b7

SHA512
9d5dff938e3cad99473eec7c315cb6cb23aea32b4bcc22dee4748aeb49a83a9a9dda1b4ecaba6dbdd0fa4020a31b8ef7b63c00d597562a4950a5786d593ae00a

Download Submit
C:\Windows\SysWOW64\Ldpbpgoh.exe

Filesize
512KB

MD5
d7b8ed9129fa854797e0f8c84f0aff29

SHA1
5827838a7d5195e8975dfda1c1d5490e95ac68ed

SHA256
1d467ab07aa113b3ba2eeec2d1c356d62143d6efb28275304d80bc50c99ff242

SHA512
aa48d2d4900e776fd665ebe670d06016e8412ddbc91f33af23120c704b5bb0b527d46afbfca14454e87cdc7198532c0872ad42694d0c10910282039762e9844c

Download Submit
C:\Windows\SysWOW64\Lonpma32.exe

Filesize
512KB

MD5
535f3c7f701328765e4fd37009e6b576

SHA1
3f6ec5a8157f24eadc95b4a2797a19a9f1995d72

SHA256
93d32af7aec30d053aab028ddbbf18d491ca774afc57c7f94c95cdd202b5f891

SHA512
35a1a04452d782e4137e371a22ba2397d009a55c2c260888087cdf866dbdc6f61340b014257ca1f132d482444bb3607a7ad5e561505f0988830ea420f864721a

Download Submit
C:\Windows\SysWOW64\Mfjann32.exe

Filesize
512KB

MD5
e338398a37ebe786b20f5c4ecf9b7dfe

SHA1
6b199becbd939119d0e73eae1cf0387defd16d06

SHA256
e614b373199b08f2fce91a3dcd5e1cd81282f1ddbc9e3f95211771595958ed82

SHA512
09308c3470ff6c71bbef80890eca0285a3ed70798194c982dbb2d6cf716ce9955e0196179b59be093365c49402a17e98ac39373f43d348b914cfcdc9f7fa6bdc

Download Submit
C:\Windows\SysWOW64\Nlefhcnc.exe

Filesize
512KB

MD5
42f635d23f08ff9b506fc978e843f51b

SHA1
3537dbffe4a4f77115b92321bdfb3395ea5de2ce

SHA256
d1aa6a082892da5abdcabf6d0cd004b916f0daab6f39cbdeed9df221502b87cf

SHA512
86903ef68e1e665cbd23987c310ece0978ce1e595be90b84a51c3d70b3027ab0057779bbedb4b149091d3837de940bd6157c13e21b5f4ded77b9d2e0617e307e

Download Submit
C:\Windows\SysWOW64\Obmnna32.exe

Filesize
512KB

MD5
a1f8bff257f663070b684f4f5bf627d4

SHA1
9392d9fa8631dd4b3510fa846477345e3ac79d8a

SHA256
df15e1411ea12e4f30e337bbc4b739215b2be047079614436b7b5dbd919f2256

SHA512
ace44c14dd84886d64402a8d3d51c8124c5c50493c2d8c647e4ff04f6b5f596903d94126a9acff1ee812beba116d922a2f0922eb83689032e809cc0e1f6a29d8

Download Submit
C:\Windows\SysWOW64\Offmipej.exe

Filesize
512KB

MD5
1bb16893317d8af7da921815b7e8464b

SHA1
a463997826a591a45fc178710c3e48c6f93df6e5

SHA256
dcd33c760d8e0e43e3a3ee8116a704f49e8431109f11b0dcdd348a2083ef5795

SHA512
94f38c6bcf5a02e599c8c1c25f4bde813c96d8c14a802bc0ee3be675c6631198de7ff3ad100171f398b0057f32cedbe6c051c2abc35dc282dda88ecab0367b7e

Download Submit
C:\Windows\SysWOW64\Oibmpl32.exe

Filesize
512KB

MD5
9c998e1f7b53825f20769ae80e5ae67f

SHA1
9f2fd70d7c622971420a2aa099f53ab63df241dd

SHA256
a17191989eda8a5e74b016026d5fd36d44024e456cb7eac5500a46cf210efd87

SHA512
6add5de2a42010a8743f1aad409e506c9d291718322c1f0f63a5db1a1da6263e021418e338d9f2343f6cacb33cbe4e9be71ce3e9dd932a817664aa28ed876e9c

Download Submit
C:\Windows\SysWOW64\Oiffkkbk.exe

Filesize
512KB

MD5
f24111663409d0b90ad0a47941be0490

SHA1
d09bc7efe204ff65b640673afef2b5a7a2213508

SHA256
f810d1b08f0496436020508c84b1a9acbbaba923478dde17c52cc3c80f0715f4

SHA512
78b1c5064f342333405192a9a416e7b14d38254ba8a92a842d712bb1bee9455d12c3f2a54d8739f268dbe7ac96527bcb32e2e337bc7174dafb66f58de81db47b

Download Submit
C:\Windows\SysWOW64\Olebgfao.exe

Filesize
512KB

MD5
9325c51eb3c1a7d57604695d2f0ceb4a

SHA1
6978a14a7590b1cd39c77a48be09e1550f725c48

SHA256
d5110fa4b132f90c93a36fa84e4998ff805726a86ace2606874e072631890bdb

SHA512
f863df788bb1f71479d1498c3b8be36e9caa08b93ffa130626a4aac38483a77baafb159e4abfc347600f488adf0199b20ae650254a070863262e0a5e3651d040

Download Submit
C:\Windows\SysWOW64\Olpilg32.exe

Filesize
512KB

MD5
a21f6cfb0eff3cc9f7a3162416049d76

SHA1
c2ef1badf8111a15c70d7e01341017deccdce65d

SHA256
ed7e251a2916f322f4712a543c2e9ea8c13c96ffd9b1e1654312a7bdfb81b071

SHA512
1eab8c86e18749fb96b6138211d4c722182404d9afdd7e0cfa64e0a98d6c4cad0829720c353538077df9bb30bbd38af81ee2f6153c40d17ca0cd2ae831167c10

Download Submit
C:\Windows\SysWOW64\Opqoge32.exe

Filesize
512KB

MD5
5d1258845c8f1b075d3dbdcfb9db97fd

SHA1
4a11706f51303c233408323f7c8f0d7d49ae9528

SHA256
6b6b87d8e291606246323aade58b7d8f7bded2322db5d1823dc6f636f92e152c

SHA512
68daff7b7927d098617fa4b20271986dded2e05ece579911185ff065aa7344d81fc3dd6d00b8a267524fb2289761062c6f3573fc558a5b97e8582a90dd9a26ba

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
512KB

MD5
77807ce13369416ea50ae47900f9a1b9

SHA1
767d2537c9388b83de342b57d83bd284a6b28bfd

SHA256
61b6fb8f1f6bd6dfdd1eac63c9705cb7a42af26ae4400086cb4a6b2722bf7b70

SHA512
3a698a233d7a7957b6a43452480ba7b3d6de206f561230ab4236a092bff879b684791508d2d60dc37b02763202c762dc52d9c2d51c832b1025a6aebc85fcd327

Download Submit
C:\Windows\SysWOW64\Pcljmdmj.exe

Filesize
512KB

MD5
8995ece7f26b309e8f1709fd7c9281a3

SHA1
7c42159603f56598f528fa3b2896a2c730eaaacb

SHA256
2b8f2829557b6356669f23dd064be8d5fdbcd1807ec45b1facea4fc5e60e3397

SHA512
650903d13464f757b25264d163a15a715014d5325f43d3947f80ef2efe7992cdfc577b6edd1aaefec3208c50d5ab7f097e68ffa24c7895b262b1f1e942783070

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
512KB

MD5
e481414f7963b67b8be320791644e720

SHA1
6797164d893eab7cd6202561fa9ede7480eee53d

SHA256
14b512b04c7cbb397fe9898b87a193260030433ec3faf5abe2fc49f3f2a28206

SHA512
a4bd3c7c51e9b8e45c647001197ef9595754e685aa771c13a0642a0d0e1efd53027146746f715db07fc4d8d23cfc693bd125ea58203613e6167e6381d80f603e

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
512KB

MD5
58a133d09589cb284350e8d05b95c2ec

SHA1
1f879503163bf96e7309fce6d8d0162b05cbb572

SHA256
2a54b2ac92f825be8f88f400d1cd6e20181f0b368759ca713aadea5ed9f1e4e3

SHA512
327efba9fbaeedfe047312439b6522efc80b1f9bc729d9aea581ab953d614a7435fa16edcd54626691979930e351b1f921c1bfd362c64d38099b768f9711c873

Download Submit
C:\Windows\SysWOW64\Pepcelel.exe

Filesize
512KB

MD5
6d2493a2418032930ad64b8424726298

SHA1
ee0fdaba7e1fb9b8d21e747cbf5ca33e69dee032

SHA256
eaabb14eb19839b8dd535f0c01358551b641fd1bb19c7748be8fd8e0e952f6e6

SHA512
8107406441dca98e10550d15f7a9d88c69a10aeee4e55fedd75bf2e402d64aa40761257db449670b1b2bb96644488029d0d47d282fd9f9bc4bc3bb2a3ca59365

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
512KB

MD5
040a0498099aa9f5b470d72a00df24e5

SHA1
4263d0a5b93dc254030ce71d5e0c48a7ae6f2bda

SHA256
f1cac97ada879b4964903864f47394ab08d2101f65d941143db6deadf7cb5458

SHA512
6840b17b54027fa02e9a507ff361bb4dcdf230972bc4f55da14aeaedf99ce7fc6be1e0acfb52ad3ee63a2689de505e50123ee29add33222f0661aefcf684f986

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
512KB

MD5
6f5d5468c6a457acbae30bc3822f78c5

SHA1
9d711e1f669d1699f8a471a26071850985d7ba6d

SHA256
ee0305e96af8d4a8f954f37e2623ac3d5ad978f4dd84ec578bc85ae4da122353

SHA512
4b19346152efebbdfaa810b71b90c17b68c7d9b33458cdba734d763e6a81a1640ec44ebd239ddb20dc7849a42adc191f216eed1f44e2dd4490c64b37941f7c37

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
512KB

MD5
f993e0f988d38f8fdd087b0153da6033

SHA1
1f9efeb22f26055f912b841f6714fc99d601e36a

SHA256
d71d9f28d7912b473c22808b429c4b45ddf0fed80a3ebb7569abefce308c80f3

SHA512
084272a60efc2b90293b8cd704e746cad1d503356e2e2f611a4ccef70726ae54961c1d9a4d4e34181a2bb90516fdb715b78a7eb5987be2c5d6758759e6375879

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
512KB

MD5
03c1edfa7885d71e062631aa45e5ff8d

SHA1
7523b6afb6a9445a955cfc25b0460f093214c9fe

SHA256
4a95f9772c5e3c1a63bd14978f38e8525e7d8b315c77e8559c2aef6604c7739d

SHA512
a884511a8a46d231cc65e205330b08b17227cb1f7b6b501fccd64679622ffe6a89da14b70047d9a87a8c0e27a1bd2b123e218ab8211af09da07d52c7a6414ac9

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
512KB

MD5
f4e3f659c30bc99a7b80029382ee6549

SHA1
9b52634b96341976432efe8ed12ce1d1c19c63b2

SHA256
1903950c784497d09e1457fadfa2e743dc09a4a69e182e7c71bf4dddeceb763f

SHA512
575ac7c34c9586f502d99f78e7c4c51e000ddf36993f392854ce6609830912c95c376c3f77897be18283e0d331135817a2daadec1f6f5503aff09a7e1163ac39

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
512KB

MD5
f1531f90f6a8da87470d0a8d8c858a9a

SHA1
77db01ccfed5991ae7f274de5585cabe8399fac0

SHA256
a277850d61af9326437b0460ddbce000250e2ce282b3c6c52c13324304fcb4a1

SHA512
8b4be627a96f5f402c7e365e9a12cc9edf57fcbb77d0493168105aa8d35e857eabadc3261fa8a1f884ce755a1cdb86bb03d13ccc696294f35fc73c89f55d2435

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
512KB

MD5
f6a17d6a6b085ef00582d2061c276706

SHA1
ccad5b6d1ce60c74351fb9dee85575a1fb98b167

SHA256
3d840ac2019700ea7a2691976b0ae051642de048b37331c66436adf7958c1ab7

SHA512
0c626a72411616b40b570c22bd2a98b5153e6c1a77285a8ffee78ebd05056a27e3a8feae8e3fe34aaa3c75cbf65adc89bfd6cb47e465aad1c534c2866e0e73c8

Download Submit
\Windows\SysWOW64\Kcecbq32.exe

Filesize
512KB

MD5
d804d31791f1d2b27485e07d93d996f8

SHA1
3db4b9ac7605533b83fee417758d964784a978a7

SHA256
cc1c0b67cda16aa5dcf61c961cde5a9ae67494398ab786eaf2de3542356d6768

SHA512
16d611a450d140c01352b64deb8b2eba401c5364c7302a94457fe9f2ce44be435cb7b4803caee8ff6bbebd19fec66530843460c1d4b3ac17cb9c1b6cd3632b72

Download Submit
\Windows\SysWOW64\Kffldlne.exe

Filesize
512KB

MD5
2405db6b278544bba9d4b186fe9cda08

SHA1
264204b45d9ac8c6668ce66d726f4be3fbda01b9

SHA256
dcf066f6f3d7aca856b6bbf7cf4cf71ba9681a2a07849032612f5b638a31cccf

SHA512
26e496b582e756070bc5db9e272a22bc30c1537207a855aacf0d0c36d6f0a4b88fb0adfbf16378664388794b206fb053e6025c53169a36714325265743e47e50

Download Submit
\Windows\SysWOW64\Lhpglecl.exe

Filesize
512KB

MD5
71c04f9cb7c1763673a9b6effd58cf62

SHA1
8233e0c43a6684450afcaa8635918d7db07925b2

SHA256
cfec29854c5866be668a9672c0558d40c226cbd0658fdc8cffe68a7fecfa9104

SHA512
e5760a87a4157704cdc9aab05d1327709f3b2b3e62442760a0e3808c99e53ab201c6263518e65d2e057a2543eaa2eccd331c45541a3e276ae00cc01f04a445b4

Download Submit
\Windows\SysWOW64\Lldmleam.exe

Filesize
512KB

MD5
35c5b9f5e0219067d1f159244e89dea4

SHA1
de31d6cc0f7bd27e02ffe342f9699e86e4c4131d

SHA256
fec4a28dd55f6b1df15eac809a810e43acae598406dfa56311e2001072f4069b

SHA512
60c88e6c484359f1abcaae6330db6bd2ba79fab76d58c447feb324099c3206275100cad375297af1a7072ebc1b8f8610277f51c332910b7ac3a4f2525cd9da33

Download Submit
\Windows\SysWOW64\Lohccp32.exe

Filesize
512KB

MD5
0d3e9275239a4f1ac93f25a90d80956f

SHA1
33a90683724e81616806cc3c9fa4cbf0458ceb19

SHA256
76bb4025245f53970eec9a03cdcb6680c7554c1022267e69e569c30e8bb7fc4d

SHA512
4c2665069efb4a8c4feacd7377893b877f5d4121d893cadf5f7ff592519eaa551f55a003005e68aaedc0826fdd45c6ad7f39a46f7316bc8e44499ea5fcc1b654

Download Submit
\Windows\SysWOW64\Mfokinhf.exe

Filesize
512KB

MD5
28a84b6ff8b564cf2dc2fc9f34d67645

SHA1
80aa110653029f16cea434095b43e8a33bece619

SHA256
5f53437823fb3147cce481a1cd5e72d54f86ceeca5c4bf02a6e2bf64368e34ab

SHA512
c13d12828ce424fefaa0c45d7ba04ef355d8e5729ea4a4fd2d8e7cc99b78dca834fd085cb1ae9381dfd4aff2cfd61864e7d24520d50f4191ca838f0e660ae025

Download Submit
\Windows\SysWOW64\Mqnifg32.exe

Filesize
512KB

MD5
2357fcd9d3510e4722430806a4472b87

SHA1
fc79d6883f52031a8a123eb4ea069e3be83185d7

SHA256
46f75f63076bf9922ed8363a0c5ad2754d66d64ef883c98b63ed1050686d6568

SHA512
9a6aea5575fc625b29dd1cadd5b802709d7da39a12753e55567ec342fa47e630c97b271f805149a080d384a8c9368de06dae741f32249f0d789598a5142abf15

Download Submit
\Windows\SysWOW64\Mqpflg32.exe

Filesize
512KB

MD5
5d7a94f16fa6595dc8ddf3b2f33063e6

SHA1
1eb591a55fb81eb8101913de166fe6764b5e2718

SHA256
b20b7abd81a20a9c0d925850366d98dc821a0ee5e4f6c04a37716d02275d2dac

SHA512
e9c551da491d24564eacca64fd4b2b708e9f7d200968604abe40f760de6d22234f61e3db811ea47c0313630cdfef10a7fd041eb6e05a82b93921132dee832d67

Download Submit
\Windows\SysWOW64\Nefdpjkl.exe

Filesize
512KB

MD5
42dbbec012251c4e84d3e25f5a7c3a2d

SHA1
8411d25b938e1ea07a8647aaedff6c5e1a6d4516

SHA256
4b2e88b115cf2d4e187d670873b0fad27a0bc6c5805175ec1e763980bb58bd14

SHA512
baba79d7a68c8445eb8a6e1b8f66c31be88a4ae5649f56aa7b389d1340e164fe3905215af3df8ed46296f7d6988d7beef3a416bb68fb3b7d20f5f5f20599de79

Download Submit
\Windows\SysWOW64\Neknki32.exe

Filesize
512KB

MD5
3bd1f0d44c90e9103ad9d0cf54b122ea

SHA1
299f071cfa303ae81d26809282a157519b198080

SHA256
dcf1ec888f16e2b677269aae0dc42c0a4fd1e3af22eab8c4320a855c6eb63b24

SHA512
aed319886583f37a6b5a4b3126cde2b59daa69a12604ae53d506183cfc2364c29585f4a73dd1b5063b94fa0192afec2eb47c17bba2cb05409f10d236e5ae1197

Download Submit
\Windows\SysWOW64\Nlnpgd32.exe

Filesize
512KB

MD5
abe7f2a8cc35786f44385949c2446ae9

SHA1
dd4eb63d75bd96c8f917c598909bfed930df9083

SHA256
5e7aa1ae0e35c27b44e6b186376e9669044b460af87238bc4e763163d2b50f47

SHA512
31b353fd714839bbbee05aef2b7eb413569b08436d9b0ec5cdd1f7ce2d956b03e5d22c762e851fab2fc99d41fe72754346fadf7b21513c7d2612c886c927fe2b

Download Submit
\Windows\SysWOW64\Oippjl32.exe

Filesize
512KB

MD5
d74bfe72252463f32e8c7e78b5a447f1

SHA1
7844a78a948757fe41a07713463c995c2f8bae2a

SHA256
cbc7ad3661cc8931176337ad106ec5d819e270792a56807d1fe70efb5bd163db

SHA512
bb1ac76b29ff6cbe6654fcf83ef02c2507b3795f53fd2453e3d5f3fd8560377df55ac2673635bc8a29409ded81c814c48589889bcc604d3dc4821c1e18ce014b

Download Submit
memory/288-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/288-41-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/300-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-353-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/632-941-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-236-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/640-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-307-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/924-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-254-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/996-340-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/996-339-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/996-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-211-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1040-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-196-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1356-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-437-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1464-267-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1464-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-942-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-178-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/1556-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-936-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-462-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1732-939-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-92-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1792-467-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1868-951-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-956-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-948-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-296-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2128-297-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2128-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-318-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2132-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-314-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2180-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-49-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2180-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2236-395-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2236-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2244-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-168-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2268-155-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2268-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-136-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2280-950-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-935-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-361-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2372-360-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2372-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-117-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2496-105-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2508-393-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2508-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-937-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-407-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2536-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-946-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-329-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2568-328-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2568-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-383-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2592-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-379-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2628-938-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-69-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2708-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-446-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2708-445-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2708-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-371-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2712-373-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2712-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-940-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-126-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2744-127-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2776-26-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-413-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2776-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-457-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2848-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-77-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2848-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-934-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-982-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-417-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2940-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-944-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-286-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2980-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-225-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3024-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-247-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3032-243-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3032-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-949-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads