berbew | 7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9a

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
Size

80KB
MD5

77fb6399a5ab79be37f9093b6543b7e0
SHA1

3505aeeaca402ded331019553f229e473f7a4084
SHA256

7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9a
SHA512

0194d573c5b355ee85dcff3039dc02ea24d5785f51c8dbb8cf4b94d04bc81a7ed709ca107a8f695c91d7a2d86a6f2973e287582b13fbac99f29e9323d056c572
SSDEEP

1536:XBGIiLs13UadwGFkDaIQjO8qqeTDg2LOS5DUHRbPa9b6i+sIk:gIiLs1Ea5kDgdqPDROS5DSCopsIk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2596	Ohendqhd.exe
3048	Oopfakpa.exe
2700	Ogkkfmml.exe
2664	Oappcfmb.exe
536	Ocalkn32.exe
956	Pkidlk32.exe
2084	Pjldghjm.exe
1228	Pdaheq32.exe
2932	Pfbelipa.exe
468	Pmlmic32.exe
2908	Pqhijbog.exe
2768	Pgbafl32.exe
1064	Picnndmb.exe
2008	Pmojocel.exe
2032	Pomfkndo.exe
1108	Pfgngh32.exe
408	Piekcd32.exe
1284	Poocpnbm.exe
1724	Pbnoliap.exe
1908	Pdlkiepd.exe
1292	Pkfceo32.exe
2800	Qflhbhgg.exe
1964	Qkhpkoen.exe
1640	Qodlkm32.exe
2824	Qiladcdh.exe
2856	Qgoapp32.exe
2616	Abeemhkh.exe
2764	Aecaidjl.exe
1984	Akmjfn32.exe
380	Ajpjakhc.exe
1492	Aajbne32.exe
2088	Agdjkogm.exe
1680	Ackkppma.exe
2968	Agfgqo32.exe
2868	Ajecmj32.exe
2352	Apalea32.exe
1160	Abphal32.exe
1612	Aijpnfif.exe
1980	Amelne32.exe
2648	Apdhjq32.exe
2324	Aeqabgoj.exe
1148	Blkioa32.exe
1944	Bnielm32.exe
1912	Bfpnmj32.exe
2380	Becnhgmg.exe
1124	Blmfea32.exe
2848	Bphbeplm.exe
1428	Bbgnak32.exe
2788	Bajomhbl.exe
2720	Beejng32.exe
2336	Biafnecn.exe
2256	Bhdgjb32.exe
800	Bjbcfn32.exe
2140	Bonoflae.exe
400	Bbikgk32.exe
3044	Balkchpi.exe
2240	Behgcf32.exe
2156	Bhfcpb32.exe
2496	Blaopqpo.exe
2168	Bjdplm32.exe
844	Boplllob.exe
2400	Bejdiffp.exe
1308	Bdmddc32.exe
2164	Bfkpqn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
2596	Ohendqhd.exe
2596	Ohendqhd.exe
3048	Oopfakpa.exe
3048	Oopfakpa.exe
2700	Ogkkfmml.exe
2700	Ogkkfmml.exe
2664	Oappcfmb.exe
2664	Oappcfmb.exe
536	Ocalkn32.exe
536	Ocalkn32.exe
956	Pkidlk32.exe
956	Pkidlk32.exe
2084	Pjldghjm.exe
2084	Pjldghjm.exe
1228	Pdaheq32.exe
1228	Pdaheq32.exe
2932	Pfbelipa.exe
2932	Pfbelipa.exe
468	Pmlmic32.exe
468	Pmlmic32.exe
2908	Pqhijbog.exe
2908	Pqhijbog.exe
2768	Pgbafl32.exe
2768	Pgbafl32.exe
1064	Picnndmb.exe
1064	Picnndmb.exe
2008	Pmojocel.exe
2008	Pmojocel.exe
2032	Pomfkndo.exe
2032	Pomfkndo.exe
1108	Pfgngh32.exe
1108	Pfgngh32.exe
408	Piekcd32.exe
408	Piekcd32.exe
1284	Poocpnbm.exe
1284	Poocpnbm.exe
1724	Pbnoliap.exe
1724	Pbnoliap.exe
1908	Pdlkiepd.exe
1908	Pdlkiepd.exe
1292	Pkfceo32.exe
1292	Pkfceo32.exe
2800	Qflhbhgg.exe
2800	Qflhbhgg.exe
1964	Qkhpkoen.exe
1964	Qkhpkoen.exe
1640	Qodlkm32.exe
1640	Qodlkm32.exe
2824	Qiladcdh.exe
2824	Qiladcdh.exe
2856	Qgoapp32.exe
2856	Qgoapp32.exe
2616	Abeemhkh.exe
2616	Abeemhkh.exe
2764	Aecaidjl.exe
2764	Aecaidjl.exe
1984	Akmjfn32.exe
1984	Akmjfn32.exe
380	Ajpjakhc.exe
380	Ajpjakhc.exe
1492	Aajbne32.exe
1492	Aajbne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pkidlk32.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjldghjm.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
File created	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Oappcfmb.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Pkidlk32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Agdjkogm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	552	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkkfmml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2596	2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe	30
PID 2884 wrote to memory of 2596	2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe	30
PID 2884 wrote to memory of 2596	2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe	30
PID 2884 wrote to memory of 2596	2884	7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe	30
PID 2596 wrote to memory of 3048	2596	Ohendqhd.exe	31
PID 2596 wrote to memory of 3048	2596	Ohendqhd.exe	31
PID 2596 wrote to memory of 3048	2596	Ohendqhd.exe	31
PID 2596 wrote to memory of 3048	2596	Ohendqhd.exe	31
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 2700 wrote to memory of 2664	2700	Ogkkfmml.exe	33
PID 2700 wrote to memory of 2664	2700	Ogkkfmml.exe	33
PID 2700 wrote to memory of 2664	2700	Ogkkfmml.exe	33
PID 2700 wrote to memory of 2664	2700	Ogkkfmml.exe	33
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 956 wrote to memory of 2084	956	Pkidlk32.exe	36
PID 956 wrote to memory of 2084	956	Pkidlk32.exe	36
PID 956 wrote to memory of 2084	956	Pkidlk32.exe	36
PID 956 wrote to memory of 2084	956	Pkidlk32.exe	36
PID 2084 wrote to memory of 1228	2084	Pjldghjm.exe	37
PID 2084 wrote to memory of 1228	2084	Pjldghjm.exe	37
PID 2084 wrote to memory of 1228	2084	Pjldghjm.exe	37
PID 2084 wrote to memory of 1228	2084	Pjldghjm.exe	37
PID 1228 wrote to memory of 2932	1228	Pdaheq32.exe	38
PID 1228 wrote to memory of 2932	1228	Pdaheq32.exe	38
PID 1228 wrote to memory of 2932	1228	Pdaheq32.exe	38
PID 1228 wrote to memory of 2932	1228	Pdaheq32.exe	38
PID 2932 wrote to memory of 468	2932	Pfbelipa.exe	39
PID 2932 wrote to memory of 468	2932	Pfbelipa.exe	39
PID 2932 wrote to memory of 468	2932	Pfbelipa.exe	39
PID 2932 wrote to memory of 468	2932	Pfbelipa.exe	39
PID 468 wrote to memory of 2908	468	Pmlmic32.exe	40
PID 468 wrote to memory of 2908	468	Pmlmic32.exe	40
PID 468 wrote to memory of 2908	468	Pmlmic32.exe	40
PID 468 wrote to memory of 2908	468	Pmlmic32.exe	40
PID 2908 wrote to memory of 2768	2908	Pqhijbog.exe	41
PID 2908 wrote to memory of 2768	2908	Pqhijbog.exe	41
PID 2908 wrote to memory of 2768	2908	Pqhijbog.exe	41
PID 2908 wrote to memory of 2768	2908	Pqhijbog.exe	41
PID 2768 wrote to memory of 1064	2768	Pgbafl32.exe	42
PID 2768 wrote to memory of 1064	2768	Pgbafl32.exe	42
PID 2768 wrote to memory of 1064	2768	Pgbafl32.exe	42
PID 2768 wrote to memory of 1064	2768	Pgbafl32.exe	42
PID 1064 wrote to memory of 2008	1064	Picnndmb.exe	43
PID 1064 wrote to memory of 2008	1064	Picnndmb.exe	43
PID 1064 wrote to memory of 2008	1064	Picnndmb.exe	43
PID 1064 wrote to memory of 2008	1064	Picnndmb.exe	43
PID 2008 wrote to memory of 2032	2008	Pmojocel.exe	44
PID 2008 wrote to memory of 2032	2008	Pmojocel.exe	44
PID 2008 wrote to memory of 2032	2008	Pmojocel.exe	44
PID 2008 wrote to memory of 2032	2008	Pmojocel.exe	44
PID 2032 wrote to memory of 1108	2032	Pomfkndo.exe	45
PID 2032 wrote to memory of 1108	2032	Pomfkndo.exe	45
PID 2032 wrote to memory of 1108	2032	Pomfkndo.exe	45
PID 2032 wrote to memory of 1108	2032	Pomfkndo.exe	45

C:\Users\Admin\AppData\Local\Temp\7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe
"C:\Users\Admin\AppData\Local\Temp\7762945a5268e34b2ee1c064410da4359b7be563ad45c23ea2defecee2049a9aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Ohendqhd.exe
  C:\Windows\system32\Ohendqhd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Oopfakpa.exe
    C:\Windows\system32\Oopfakpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Ogkkfmml.exe
      C:\Windows\system32\Ogkkfmml.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:476
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 140
        78⤵
        Program crash
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
80KB

MD5
76198ae7860d798b4a8c2aa53fa4eda2

SHA1
384e6f5eda0e9a198def57168339d7310330cbb9

SHA256
7da95be996b4a6daca49bcaafe6a72c3a2b998857784f09773e7af7a2a99d255

SHA512
394443293916f10475608e7515f147a8968737d95e7233c30818e8dd75b6bfc2ff3e3d54b72b0b47666bc578c108eb9901079084471143336706d1ba570f5e1b

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
80KB

MD5
e55835312a08a6a1ee09c51a0d425907

SHA1
217132c8e076e242d4dc2c159d8929355c0ccc60

SHA256
3c2ec4de748f4c41a37f6862edd0806b8678ba3169fe9ac3a2d07d81272280fb

SHA512
22339b0ae11d2f278dfd3f55cf3e82b8971978227387964c4bdb0fea81ffacf8815560e2caac343a1114d37fd60a7bca7deebc28cf494ce963dcf7894f58aa1b

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
80KB

MD5
0356bc43f25b60487ab3250f701d27bd

SHA1
399b841e50a08047f66be3428f230a60e787b984

SHA256
9b892d649254889fe3a8c6a679c4519c9540a36e64123cc31265a730775a281a

SHA512
e16ea8e6319010755a45b59bd6d6affd9b92169253fc9ed3126f9dddcadb64d0332e25d155b87e5ae441b87d979d71da746b0941c1fc042bf0a8d73666125c77

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
80KB

MD5
2ae4dc958d4f69d5466f716a04882585

SHA1
7b5c15eed05a85fd244d79fd8fa9b011c2751f38

SHA256
92cfc266f7aa008220d23801b6778bb5aecdaaf20fe3db2e15609d1c323d209b

SHA512
969ed4b9f10b4708dff3b8655c334edbdb58b8062dc3ba1bdcad5ae2db6220b434ea8046372787c3fa3cd8875f8708154973cbc7ee03661b4e65a4dfc9b65c9d

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
80KB

MD5
f48f58bbc06bfc1caec82a5cb7e380c9

SHA1
74aa9f62063ec907b758b6b5439a36c5d4bdbbcd

SHA256
37fcecfc863cdcb091c50ba255ad34e6445322f3ada7346bbaadeaeebc9fb9dd

SHA512
8c5b1c83887ee69327853edb765289eb21482a1b765e37b4640bdf1a317a53a606e34d156f822dad4f3482cc21650b4ec397f8a96102fde7498a5f0a311ea811

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
80KB

MD5
39e1e569ded6fbec30cd25d44000c5d1

SHA1
a8c5e3bbd6cba2ca6eb084d32807692b5da14cfc

SHA256
603b8e7fe203995dc2f2e1a6a5fb8685d4e62b2c229260b860177c2d50660286

SHA512
37061a3a5902e5c49e80e36b2a6da66fae9c998875da5e475a102258726a36a2fe778a5d7fc071d3783862fb4080213e6711c8650a82da488404c79c4cda5c78

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
80KB

MD5
0abbdbf6eaa135956932227f35816ef8

SHA1
fc680853badd9d1fa06762878e1f22c1456c7c2d

SHA256
261792ef90162c72edf6848a92059a5cc421d14ae745150e31ff3c853b38701f

SHA512
f594043283a04e4f7b413b6018871387ef02e54803e52cd2c170283bdde387f64248a349fb89d9ab10dc773370d017679627100c0efd81f76cfd1f7ac5b6ffa4

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
80KB

MD5
b741afbd67dc64b898725c97df0c3e9b

SHA1
0b55be48b1ef6f6bdac50dc5ddec6daf03d3d71a

SHA256
0b089ac602f5e0bcb951d934051d639107e14980c4a61eaadef048422b8229f4

SHA512
4a3fd401ff2c305fb919b7ef85a3f1d3ddd50528825d288025ed0f6eb04a4d9ebfc7d2506fe0e8a6edb8774a7beb191b99863653f5dfb215632141ad0cf9e13b

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
80KB

MD5
7b0a94040e10a903413500ea0ea3ae09

SHA1
e2564d350e9986ad084569fbd2507662c7f0da1a

SHA256
4e1f91210a456701b180441e992cf6807f08403a114479ec687f69c524b94695

SHA512
a259a88c43a152b212662fff9e6ca337f29058bbf273e31fcf2011ee95872867f112e32d7ff8ca1d202a486da001286211d527933a4a6763b017b9c4695182a1

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
80KB

MD5
b19dd408865e9d23bedccbf4e33de16a

SHA1
f46a7291b385bed0a11e73641fe5d27a51a31150

SHA256
a6fb1980a11708981ba7a41e91a979b774018941f9c235deba41a4e7945ec92b

SHA512
e25f29aba223c06657989db991189e3e545f8dc22d343b6e000cc8bacc9b8274b505075b891a548815cf4906d46ce07ca32aa33aef104b87ddde1c4e990f6f1e

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
80KB

MD5
84b32cb7d5ef0463de4bb5270e3da7a1

SHA1
dfa77dfe6e7adedb5ca420e0b1d1d4b77cb2a867

SHA256
1ce5ab447d1b778bf5b54cf102faa3561123b70089a4dc9c852d02a121070c38

SHA512
26e77f9bfa86f3e436b24344827b0d26ded476659fb55caddf05b417017db672dfa7e8bb1cc5579495b27e9252d92a1c15829ff26d9858846199a71de4a3d64e

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
80KB

MD5
192fe1b51f0fb5bc6b775196796ff4a0

SHA1
47f2d19620e2c941021de8455efc932aef09d3c3

SHA256
3e18f670d2d9ec793587f503d8e6f22dcc51399b7257a0b66056feef32609e03

SHA512
ce5ff040e171f6a24f7390be6c1ac8214d363349d0c4c68735c58e79068486df49e3ffa0d66376909cd48052d0381d263d16639f50679ffba95e4132241ebde4

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
80KB

MD5
0f1df5608adcc6b37255a7dd8c551126

SHA1
8bd604e158cf2fc05324052c1818c70f871666bd

SHA256
571ced4712c64c4ec93a5e18d4dfb1983ed90f0370e17159dc0accb329f6f471

SHA512
f54752ea6a4e334c99f7f71ddd140636699ef986a3bb30962d7eac0270f06c9d1087434b4bfbe58b16705ffb9247ae319a9c40b5f2a6c7c8fd4b0d6ae21de8f0

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
80KB

MD5
1b3b10347c573456d4f4ef43f1cc0442

SHA1
e7c3f403d6dd609be57d280683fdbebce9acc14d

SHA256
0f0e9de21fbede87e7409129a558fef48f32a3fdd52d65de0e835e7a13ebc982

SHA512
e67ddcc2a8cd5f662fb611a9990150aada5e2bddcf353493bf4b37f193a30f40c5a16537cfbb5a1c4f0b30e43d5c07f16d9e80db5c2e9b3a8844fc4621c04193

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
80KB

MD5
682afc9b0ad5b12457fe5c41c37e817b

SHA1
1a227d49cc6d0187c7d7d4db7eb4aaafa43da9f9

SHA256
afea0ced89ed41e9bf0362a6ad089fa0104a86856b51d6750c7f05a087802d90

SHA512
2704eb970ced7e8f2621fa5dc8d00916d24e7df570a4f09b2a9b93f2be31038257057c889349b2ade8bdd921a322c664b0a68221ba14bd3e3f5d2118a28ede53

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
80KB

MD5
778b1a12c69e0c6a4d254c7c1fac45e8

SHA1
d5cecc3c94c3a1d3e93affe580deaaa264eaee9d

SHA256
a0cdb366f7f0a18e5279ac10c978d7da25f463843dc4287f86e58ce620858fe6

SHA512
1886f8cb4497fd34c5fd700758878cc8c0bf8023cb9d413d918242b8b9a1c3199e170fe01a5376dbf3004367915ef90ecf2d4004cb95d2204d8471c6b221fd82

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
80KB

MD5
bdcba8e14218dd50bdf4779af509537a

SHA1
bf0fe3a4cbc1bfeb08ba8a2b0f5c3a2f4ddffc96

SHA256
996811be0dd0e0a0b649cdef6724049ea4cecb21ec4e2290d58a31a05c4ee303

SHA512
1c74f22692f143da862fae0ae5a9815b836d759e83082f65be84ae9195ac3e9c4841da83fdf10277e1940a940e8017e6ff10cc4678fa1ae62d9d90119984e4c9

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
80KB

MD5
6ddc585ec46350da30472f017dc46456

SHA1
dedbe9bbbca162195713d93e27f7c62a0ab89490

SHA256
03ba8af417ffdf95f08eb477fd5d892e27670d94c8e7d87454ac1ef66cc6b352

SHA512
ebdbfdd46f59ad7b4a5befa06ff1d8a6749fb7c823e4d805e32e23a55cf7f94c9351aefb01976ecd1e115ae68f23796abb85d96b1746660eae684a00d11ade70

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
80KB

MD5
a6f93e6264b8c9da79d619cd3e792255

SHA1
ea70ce6e098b34dc7de79c38870c744f136aec15

SHA256
9a1a175440ff838d78dcf0a707853ca1ba4a90deb232c919969d52b6e90ff693

SHA512
3b433c74ed82781ee8106579ea250b2c2bcec52b70e160fcc8abe51a4e845863312723730f9fe7215864e2dc47ac7b83449e3f33ad68784093ec0a9761a8553f

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
80KB

MD5
43ea0fe44797bc8faadfb704af6fd4c3

SHA1
d49980c950ac46674df925fe013e7e20a9285427

SHA256
0dace89606c02d1cf49c9be735214818a656beea9b4a5ac695d58e2d15265366

SHA512
cd28b8dce4bc9a4cf8bd71fde846c13ab98330a1789cb77520733abdfbef01bbe0a26bd2e73712440d8988ac4d80b46e7f3153fdadf8b3d7c1658df271623d4d

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
80KB

MD5
dfed8b891a8969d762baec75542272af

SHA1
fa5ef1e618a74084f022a2762a0f0ded9ffb9cf0

SHA256
d7958f693afb8a4902ad9730e21b6e18f1eba819733cab3229b0f13f07ea3105

SHA512
908241eadd3a99f1ab1f81b8b8f1334eedf5767caf1df4e76738ac2cb86bc48771b11609c2413be639c4f3cffbf6053c6c7ad8a68202755be563cfa49ffd5c95

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
80KB

MD5
42d9f85ec02ad1e6f9428cc8c3be618a

SHA1
3aa32bcbc62a9366fc222bea0df9ee6fc5dbb668

SHA256
cc8646a19b594640d8659d3df74ccd6e8227a8afe4e28791eee65467588ba9e2

SHA512
ed743ba180676bcc6ef6ac8b2dc87e5e73aedd4f21438f449ad077d17d3a2d21f3ae059e7d3306bbed6f3b4bf955eafb92d70136709fe8db2b0f62b9ef3a945d

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
80KB

MD5
677fb16ffff16dff9706134f23a065a4

SHA1
97c0557e9586de9bb9c7b49da7cd570a141fe8a9

SHA256
21b8fec526a9081fb77f6dfea73fed90c65060de6989ffa4f6d4cd2a3c362929

SHA512
eddce53374523dd045917e0c3fe75e1ec71ed7d336efbe97294da484036c5b116b10bd55777e532afbfb40816a22b0d96effb4c184674fb8001d09b6ef6edf7f

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
80KB

MD5
20082189c8f2379f900c3dc5600e1302

SHA1
5a97ccfdea16feb82b51320a464ccc957aaaeb29

SHA256
4304dc52580fbb4c83bad701562e691d5a2706b852665637a7304b476f472fe5

SHA512
42e95f5906e77ed940bb8b1a3e0d2173300b30670cb27d2b6d2fb119fe50f406de8bbe9cc7177e4b55231ad236461939401d9b855b0671b622eaa79b16ceb092

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
80KB

MD5
cccde4a7c55af908f9159d41759fade1

SHA1
27a0995fab74933f7e11d6a11080a0c812fdf460

SHA256
576902efee98b0ffff98ca6ae85a6f27f060f6f3312f794ad318f17f455476ff

SHA512
2a8aa52571c2a81829a88c7c295c3a550e7b71751900d7c8dfb15c35a5836f2ed341a4b67d9022129823cf4fec7512cf343541178be535c2cda05a8db7021249

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
92078fd0808fe617b1a8527ea6be21ad

SHA1
28cc1783a9d9688573dfe8eec9942cfa040962fd

SHA256
6d5a1ccb2a057e355e1370a20df4aff8b3c999101035c391390495b1a704586a

SHA512
25bca285aedddb61c1374469cb4c76565d078195669e4aae75455c2f174ace3bcc1220ca6c9ad918b5e7267f1c5a0f935303d4f9d71b016516621472bc27e673

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
80KB

MD5
b3cf490394c95210ec611a0ad99b57b4

SHA1
b479ea6a54545011f0e50f8fde430315ea79a707

SHA256
1d2e1c0ae2f6a8eab16f4b5c5694a45cc755ed12f81eff6ae3802c00fd45f4db

SHA512
918bec0958e789a61d0d8365ad9f0781c3ef309de5d54e1e863fdf9d448212cfebf2dc25a5677aa71051eecab14654384cb1f1f99025d0a88bbc539584771e36

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
80KB

MD5
3683340128f9b5493155b0f2974e408b

SHA1
9097c47071dce8ed8dd2dee19018428c1193c7f8

SHA256
f0139b7e76355e0cdec9a17b30f372c704361af084402941ea2c0b7ca2f1ccd0

SHA512
6b0c27d5418ea569f6127ad11e240f5cfe58b73831238ada54bf0b1bec0d215521ad0bbf504e9d5fcc5645852407def406c6bdc62755c677171562850708b053

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
80KB

MD5
a14a5a024ce213f18b975cb674aef6fc

SHA1
905f71c4366e559fb0507e452d26f9528c119886

SHA256
8028552efd5a5206991d309988d66ba1c8a2c177bb42d3fed2a4e138e957b152

SHA512
ce70d1f95b83a19d2b89862f8207ef9eeb7d94dbefcc489e2303d56f9ed341dabf628e4a3e1fad123477124ba2c73ae2e3ab75f3cce77fd231723611782d2067

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
80KB

MD5
4d8f57edf5b9c29a7180a3e61528d0c4

SHA1
6d484098a12cfa79f3c1831f78865c5e8fd196b3

SHA256
785edd714123abce82dcd7639d81d460b215e5f7fc18f8f10ba6f90c4eca1100

SHA512
5cdd064dc726c85ed308c1de5bcb615f97fd0bcd6d014b5c8997d6858cb4762eef5e00e69309417092fc93665fc4c59fbcb576f5b1d5656735a2f46426fb32d1

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
80KB

MD5
98e4b9482abb39865b3c39f8da9e60bb

SHA1
1a57ad1bfb8b7bba838cec05b88550c86b8de120

SHA256
d26b5231da0e6efaf986018b4fe566076ae0784f3073f78cad9338ef77c779e2

SHA512
bff5781c25738db33bd9448d52877664c5396d9001daedd5ad9db884498794ef7a0192ebe6d89bba52d0824b8558c98b0a7478d21b4a8eecfbd781283b7bd21e

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
80KB

MD5
373aa5598a1e929da55a3cbb45644f1e

SHA1
a6809f455cc7c99a284778fc112b5b259c1576a0

SHA256
cdec1ce506a772d3305312b52796c16d5de328c86a1b7a756203a4bd0dc74bf3

SHA512
603942b2573fba5085631b237d76180ebe985030def513e852668e30853e3b1f8b30863e95e49bd08a5dff29ce7da4ba6a9e41996b280e32f326dbf5a41187f4

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
80KB

MD5
cf02581ac3a8b5836b55a417416904c2

SHA1
abffed5df50915e59ce1a8a24bd30be43acc11a7

SHA256
ad71c6b9eec2ba49672bffc5b87fe9048a30a095cc6ff4d39c7a86363b017f96

SHA512
acc407325bb0e9bfcf5d0ade20d95c3372d49076360d9bc622f1d45e7c272c05d35d41f93d3dd0f2366c2c1b642364b5d71f74328fa31c2a2a2ca03ed391cbe6

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
80KB

MD5
1dcd7aee26ef1cdd778856b09be24c74

SHA1
927d04d99d22991ef4d8f7c6c417f4db1a4af959

SHA256
c5ef049abfcbf3a7f59e5c5ee0caf8bcaf589348e9c1a010fd76fdcf403e5a11

SHA512
9e7b9e8a0c80f7315cdf36fcd57888ec75bc9b57f814222a09a70572b117dd6154da75d3360462c492219bd7eeffd04366cb5fe0c1dded3276a87c6c82c3a3ff

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
80KB

MD5
ea6043286cf1283496cc7269f5790b52

SHA1
0d1a1446f90f3a93a4856aec13f76cbc1e5a40ce

SHA256
e18f7460f2a1ac42e6874b7b3500c8e9deffa57f1c91b73d39f394963d981cc5

SHA512
97cd1748d1021f765a4fbc9efa300b22129b3d9f8acf92ab7a1688d2520565693f6f6b48efb9990919a8968aedb889113c8fb357f705921476dd912debbde9d9

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
80KB

MD5
037e2cc77643935ea4d7bd2016ebee03

SHA1
348d5bf2735702453541cdcfa8032f1b17b5ac9d

SHA256
e3a431d20c1a76325837340ef185a23aa355728c39f386f86f8a5656f9353aaf

SHA512
c69c05e85fb3168bd0fa77b7fb87644a8f4ee919625efe146ad13435a7c0881e8ba869ad879e51e1e03f0fdda4879c37dd1a59e432e7ff28d1dd01811566885a

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
80KB

MD5
48829f2b711e01aef056d66324a97a06

SHA1
542cf2984c471444ff0db1a308742f7bd88da516

SHA256
462bd4f55505f01adb81f88cf325bf76e58caff028d51eae89d1cd1341d50018

SHA512
d4fd22ef7e3a4dcf1b1797b58a635f3eed3f82adb581756010987cc81b798334461b89d52757d8562dbf1760e618b27040712a2c8fd5c9596a32ed8c35f80392

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
80KB

MD5
f547c5c414d6efaa92e47e96a710f32b

SHA1
7fd008c6d1f97ded3d1685e9ca3ff981fcebc2b7

SHA256
6dca41ec66daf62bbae7f624e002b3917f1012ecaec180b734774b36f29b753d

SHA512
35f83573e45e8fc91a46012d939e757c5fdedbec8dcde22c12abe8700d9ac356265f89c95a166b5f3f14a2d19ffdb7be54a6a5e5162d88a015a0f3f14c4a9d3e

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
80KB

MD5
a092b35b1a8eebd3ffc507f47a3ce59d

SHA1
1269bcfac5aec2b2e76cab8b5ddfe3c7d47ee6f4

SHA256
2db3ec7a450f489015ecccdd1d817f64e0254893a6e5e9deee59e566f9798ca5

SHA512
f3963eaa11fcb147945472733f3dc37b3cdfc38443fc2a8eff0349266177f1688c35181a0668d0035aeac6a5248904cc8b6d1e254fbb71849bf37c962fcb1c05

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
80KB

MD5
7a5e6273c65557ab87cc7b486715df30

SHA1
6b01ab1c038404ec4520452939b5b4bc74f7c73d

SHA256
24b91d529cd0d4fd7b2099df795a27372f866df8df8cf6e80fec61e775141e98

SHA512
8957568f463bb480d722a59fef142e08886ec330d4cacf8a54b8b2aa29f818dfa3b86e0332a43827ec37bb170dcba33ecfe2deffa8f91171e037a5dff9703092

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
80KB

MD5
622a06f60608966a5170c68404ec7439

SHA1
949be9de55b61b4ea6c5d23429068683f9906421

SHA256
c9d32f58122063b3ad529b106c4a8415938e108fb7705fa5b5834d7dabbe6d34

SHA512
e58dc6583919164a4dfea261d7f467cf41118b3fca32142077f5bed92d61113a54bf3897aa78bd552dd927db6af431df78d9476f433135b8745a9f63e986aebb

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
80KB

MD5
123c3aa6bc8b4648dec994b998c7854b

SHA1
ab3064496ae2414cf0331a75e167885a54fdd964

SHA256
a1246b25da413f2d862a5909652f02352d3fd0f3efee48171d8a883b686f7c70

SHA512
0c05835d7440ddae8794efa07710224f1cadc5802c9071a9f3abef998f8ca8bf3cb8f97bb15fd82c508e29ade05f87d398ca5ddb096c1cdf8faeb5ed040cf2f6

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
1a3462f6f22241cd9df08030943237b7

SHA1
1fd67f53dc22a2e9de0894562c1c92ffbe252e7d

SHA256
c18d59bd78e95ab29600d349dfb7aeeff229c0534b6d61ee13e0a969f0e62ea3

SHA512
99aed1c903fa4425fa820145a9fac9c679c4716bca054b8c17c490fd9969f7302ffef849c073da1481cb4f2b150fe6a1f04febc749340f3c1a9ddc8f58237afc

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
80KB

MD5
eaf2437b1ee459c77f1ed8983f8dc0d8

SHA1
04ba03e2f13a806e3fad115e14b8d89a0d8d8e7b

SHA256
f18ec0734b3765e3fa0d91d0a6591366bd15724ff77fe643a635e4a246782ffc

SHA512
efbcf4c22df13051541b1468f27fa74f5183208e3cc18baf4f7e326359c7872b2502fe89df45d00dcec1ae22f18f2a112412f0101eb0890e21b3715dc8501be8

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
80KB

MD5
766ae8731c4b570f8e996a0c1d4b35a0

SHA1
9086bd30d951e56116954f9b4dba431629561dcd

SHA256
206081fdd4b2ee9ebf161040bdcd8469e637c665eb5021a75f98156363f8f29f

SHA512
14fc9ba8e036ecfdd8ddf044bc3f7c91fd319a8a8b250470ec238a1364fb93206e62a4b8eaf1b0042dde79d3ac65985a80c39bf545cae11f0c04d13813dc98fd

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
80KB

MD5
fb7ed2ed6641a2dc376e23e7a1644e94

SHA1
8906a9733f013c0bff4187f687db7be4604d2f16

SHA256
5a720a7166e08f7ec48635f980f6f401d06ad1cbdc90440d770b7e3fcd3248d0

SHA512
3b07edae8177cf040fa39fe7a6c549093db332aeca78e89c506aa1c86ef106912e28489b1f21e5f5eae27fcf409088777c872ebabbed6a44d6f6a12ada5840cc

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
80KB

MD5
d0caa8de2adbd2668da3868fc25e2791

SHA1
985dfe258a568b69c0f0d7da79bdd12a019c6fc2

SHA256
fe6ccad963a2393b1658fd282f79c2ecd1153697319dbb67fc735d6ea9ed0243

SHA512
91144cf466aa55f053009409061167a6a350e454fc2538b58ab25f3ac77192dffb8647a18a6371379f742107afd14382c324ed84cba69595025d5be5443ad015

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
80KB

MD5
49df6314c8406085b6b20bb24a791d1c

SHA1
ee453c46d27a0b71b2b05fc1dbfe2fbdb083122c

SHA256
d63dc6b44a186b93676c9e28e7edf6151af77cc8bee5bd97fac3f17d23f7109a

SHA512
0da50f7c2765d6976a3356d83db8e105a7aee2813dc1467eb1b7c5fef80507060988571531d422756927c5c656e036c9294216bcb1138b3d353003726a2c781b

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
80KB

MD5
834c2960945cbeb00a2ba6d76991862d

SHA1
78ef0d502b1dff5d44fc48acdf87ed01500ab42b

SHA256
941c58fd57650fa5e2f4f6c88bd99499cafbd1956a40b8a170681d46ed430649

SHA512
1fa2ac5cbd5d9855f79b4c12d212bb913402a70d038d063f4b666e221db67fe07bb7ce67bbfdf9b34b2980097fc0e0df13de1b1fb659090b3fc7d331dc7dadfe

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
80KB

MD5
b3c4ef3abec7c7a65927db9b7348aa8c

SHA1
702ce6b769e9fbe9095ca5a944ddd741cf29578f

SHA256
7e8ce86136ab3332de401eec60820eef236d073a6ade6f14f0ebf6d1ab108168

SHA512
6675a20c288ea61ff7f6ab2b9e26a65ba96b94f2851f00f8c8c3e09f8338523c317178b4e519058671292a94112e846a4f7ad4c6c2cd1b6b42509b8af40c26d5

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
80KB

MD5
945007f148debf1bef2de8c3b940c98d

SHA1
b3c9881157bb9ff1ec659e0b76288b94c1e538a9

SHA256
a070328a4568388be9ecdced476e19d76b82d8fbf4e2e0331a2618ca464a989c

SHA512
acaf58ec2ea6f30992af0210c423c94d2468135d8e1ed5230fd4d5eb590d173e47a895597bf4be1baefa4ab0f43343552806808910833d52311ddd5beb67a18a

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
80KB

MD5
eee53b610c8e8c936f222655ecc71921

SHA1
0b4e21ce22a143d01187c96c5a0318f73d2cf49b

SHA256
40bde9a722e21777678bd827a1653aa2c94eb0b7991054ae0e716182e6f91ed5

SHA512
c8af1e72148f18e4ae8032748ee614ce0875a42229b1bd3f6a1aa4f4d315e9db3166d3501860ea71faaaa7616629cb2dec45702994ac4ab6df462134b035a257

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
80KB

MD5
19e8fef3f0a88c5109c078507fda0554

SHA1
3a3c01a3fdacd684bee10f9f2cba30c66d625ccf

SHA256
22f0da01facac290aeaef9132e11e1beee0555126e4653f1b3c98976bb89d6f1

SHA512
d59f211768292a0926cf743de186a9a375134a70a5c9755a63d34310aa27c7d245ca5bd53d0a730ca05c3caf2d9587e98f797c0c4c5e0bcbd12aacbaf7c5107a

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
80KB

MD5
0dc37a7b0fb33e5cde06e9085f916c6c

SHA1
c977c6ac94113a4d5eadf194fe0d213f7024c2b2

SHA256
d33afd6c225cb999e8f2cc1b1c147b299f62561fc4cd701a9cd563775e464ed4

SHA512
9301e1d1f6961f6550228dbf9f123f9d18292823545ed212bbb79125631f1337f6f34371786e27a508c823f4257a4b92bde3d2735d0e06a29d957a80319c5101

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
80KB

MD5
4f6a175044eb1bbfbaa71b94555bd2e8

SHA1
2e7ebe03dc9723d72281db443f59188434ca2c5f

SHA256
4623943512c1e83aea37d85e038c085a5ba7cb07953b1b53e9b31f18d8cfb784

SHA512
77555402b80f990cd67781e98b813d0035f04e9635ae9d9ce1c3fd5ff593de84d9acec516b7ff392a41638381d121fe8c6e1e2364358cf8a9b0fe0c8b7103d8a

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
80KB

MD5
3601b9bb477989f2cfbc2d939ae0733d

SHA1
33ce21b22b9d983cfed5df9d5996474bea280877

SHA256
4f11183ab8efb040f7a092217a4a1a545eec6876f0be54e90cdf41c472a66e21

SHA512
d4816804523e07a553b330cdf64899282f4f5199500d49a3c59e4d5130f01b531962c0644a613d5b56a078e42c4d7723608ddc5f5f95b9e67145f5e90093aec0

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
80KB

MD5
7ad6c7a4c90fae3e51a7dd637e9dc9af

SHA1
ce7c5d437b4c795dd9c6c0d2bec0cbd32b5975e7

SHA256
cd1a274016a4b4a6cd90c9c7d2a20267557c5c59f2f0273d83900373a1d96a61

SHA512
5115269b7a0fa8dc18fd154aacace46b2fba2dd41fcbf6c78103d597bfbac543229438a584f48b88eb4d3b1450ecb92f035355735c2c48c88528cf57de48d905

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
80KB

MD5
4990137a5c5e7e27073ac11899879e6c

SHA1
e4e5ff2da731d191fc854c9aa14849e4d215f239

SHA256
3899677980d1ce43a3461d33d7fd8089b2b26b16df36a82dbd1f7e5965c9eed2

SHA512
9863bc10486e3aa6457d1e6b833461ad81da8ba5d51787ec1a08d1b7d21eedb1d55d2267b10b046df360ca5b20ad0147224fe83f57d3e6fc0179daa9031b102c

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
80KB

MD5
27540acf2975455e6413d4e0903d8964

SHA1
87b2012322c791f4c283d0298359b8b80730bab2

SHA256
7725b5344f46d782865e210ec4f80f3aa9a63f8b018505f7d47ecadcaafe19e0

SHA512
bfea8a9dedcfac7033d896d4b8accc0b5225e8fc797ec101999c551ff029c045760cd518354d63bc6618c11b5430ffd0efda333022eb9df0d7bbfd084d7b6a15

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
80KB

MD5
4ac48352c75e8cded7ccaa922474563f

SHA1
1c743c50df8428bda1756e6876e5f4d988be5377

SHA256
1516597f3527843e776e77aa81b5671f4d2e0e326231e426eeb71be373384d31

SHA512
a069f503a8ccbcb67dfd8bc7f57df5c1f65eea9f16169aafca2a12d7364c2847c134c89f70915c1f8bbd6a402f68a8786373bcec98496a388af511e396f773b0

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
80KB

MD5
b83d36b07ebaa1e467cf6cbc3e31218d

SHA1
9088ff6e6be16b2e3d4b0b12e608afb3f35a593f

SHA256
a54e96451beb44eb6d1ec7bda6d5c5771b0344ca596f5dd5e5bbc2497f57682a

SHA512
61d927f73ffb95d25cb1386559f57f707be4f4151f97972ec61b6672efc6702083717acd696885e927a104817e41018addd0f7b8008c0b8734beb8f3fa0a9715

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
80KB

MD5
53d24dc10230bf91c0292f2f31951f09

SHA1
10f41e23e130bef8bb199a1e9d46e0d6002b836b

SHA256
cc74f6147c627acdcbd0974d58b4305b0d54998113f1648fe1ad4a243c91bc62

SHA512
17a7f4c15a05eac2318e2d2e79773d91c16b757aece7d773c95916d61990d3d0dfa9c6e60899b742886ef866b70d9e79ab273eefbcf788866856c0b634616063

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
80KB

MD5
dec137d6484067e2a271704f65050e9a

SHA1
45945366e4c418f9763b9dd541cb30e31016da31

SHA256
c62f4f11785665c63ab6d65620896d5d9b909287ce7dc3abc1aa2725d0b50a53

SHA512
7d02a46dbfb2d0208c1d72f2c3bbf7f290e3f614757f494690787eb4ef274be13de39a3eea8b10b6d4b526be6271fccc2572ff7d1fb54655c5aa873de963b888

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
80KB

MD5
00f8357fb967e3d480eb6b8eeb650ecc

SHA1
68a89bc436469e4efe7a185da7b3010c8c5378cb

SHA256
7810e302240f3ce111da003a386475d69bc84abd110bcaaf60fad8a06586134b

SHA512
7be466829a1dfbdcd8a8a38c169190895185b1ed0835591a5c1a792b7ccdb9ef51c14c256675d0811fa2155f07c211e9e2d81d9319f0500ad32590daa7292499

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
80KB

MD5
9a449675db3596d71454f28b307adb91

SHA1
d03c5572d1a1376f88d91d41b0d4559ec40ffbf8

SHA256
1a5eb886bbd55384d5cf6ee69184cde8dd80e10d51c197f1f2a0a20ad99e091f

SHA512
b9d03c9805b864e23e5b6c66c2fb05edfdb2582ac9cd8f69a47de324fec0b733041b8e0e793af6036da50555eceb37f013b62cf0128fa65c67e3bc0580b92cbd

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
80KB

MD5
70958d2158779b708038641288e3a3c2

SHA1
517427b9378aba481dc72fa5a4fa42c09fe14b51

SHA256
be9e009f60cb296a23094f671818048bbbe5c90663af48fed5a3aca080348883

SHA512
778bccf5d78f0d252a5931b0e40ba0296b43974fed3980e8cb4475c200d0a15b571799219fc7a2d7e0a8fa78c92839877810ac172552cd4fc089cecad9542afb

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
80KB

MD5
4b7ef1455be2106c445b1f3705abebee

SHA1
446052e27f395a28e9f06e0594f3415eb26aadbf

SHA256
fbe3e4f720ae9891cacb22388f476c992ea2b52288a34c569a09a10053ab707f

SHA512
debbb07dba6831e19c383c9fb83f48a46d40beb9a6ab4863cb2e98c34472fb936ed02c106599e785536eb7dfc42e02910e69652d1972abfb8405f03e6f5787ae

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
80KB

MD5
23f0fb18ed62e8f18459af6d39fd4c4e

SHA1
0d06820145ede824488be024045e666ba91eb6e0

SHA256
45ae4bfaede92d7404a454199ad446383ff9f2f959129d7c7f0c764974cb4beb

SHA512
3e1d09a0ee11393a7b0f34eb33008f53435233b88c19ffe67d090337922d906467cdd051f76485810b4b18a61ab62189ab651d31a0afb3daf68e09fec8312adb

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
80KB

MD5
34b809baa115bd58afa5c5a3d8e8c21e

SHA1
c8d20c74674870d20d5b98480e8ac77602c87c0f

SHA256
245ed2ae45fb01a47cbaafa95c1c0d70f8b863fb42ca7ed4918c5132458380dd

SHA512
b46042efe30b70a9b0d83679db15a9019d3c3575b15e0bf9b1622be16003d700bafd189a60e50cc3097395b65cb54ff4b18186416f9e7cf6fe1000910c737ef0

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
80KB

MD5
a9a96b480b43c4592cd5534224a74ba8

SHA1
955d95f43c6b47531e49635eb98bfdb49e7583d9

SHA256
4a9b46dfd075cd45605fb45f4eec682b43ffc7a201561947750d199abdec551d

SHA512
5e2722f698478a3e47bd89801592c66a6d233ec8cb697e2c72bdff6298df0e96321f46d0b566c0bfaa6e7840767a5e2da6768115c716e942ad989bd1b25cb3cf

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
80KB

MD5
5b46f327c48d8121fdb18ba68a9fa6d0

SHA1
4cd95b03cb26f2efcfcbdef7605afefe7379f5db

SHA256
25bb7e8877d7765a7485928c4462ff4f631526f828b22780bfa75fd5d546efb3

SHA512
5099595e8b8a7631aece94bad84200b9d95c55df623dc5b40df0886f0d0d28dcb275ab365b548360f78ec742502d4208bad02b90ed060ffd16e9a9d939e8d914

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
80KB

MD5
92c476d032f30efb94bc28b8fe577f35

SHA1
d05a2b85b9b2a936ca9c7d501c1c6b955519563f

SHA256
3bc929422fe803e19f0fdcf760cef251dcab81f96e9afd5007d2f60023fcac15

SHA512
8d5e253dbc5051c40e7e6f6031145cdf4efe28310d54b362332ba3a60d16afdafb441919684b19a1091e34515c23ad35d301b28b8982a621a174b56703755058

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
80KB

MD5
bb9b695e9f8e0df9472cb957589a5d2d

SHA1
1c2a8a87d672ed57c78ba0754961b46aba3c5ed8

SHA256
a873fd01d29b27fc607cecf672751c9759f6c6759b163a266c8a221ff5df5352

SHA512
873a89e8979ebef94d059aa8ffb78f5c94200d5cafa79cfc82ed6330deb5c30d8fc13c48dd2bae85d15bc8c9dacbc406c814babcf9143663ca37d41c558bf12b

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
80KB

MD5
971383a92cd8777e3ea5f31ca1b915ae

SHA1
e1891fba08215db560397154feb6f5cdd962d90e

SHA256
660b1e9bceb8499eded799260ecbc2813bb03b99b12f0bc62bcef4c80b60c1f3

SHA512
9ef909126d1a763eed10f7bb7c402247e1a8646cf51316143afb81aa5bb674bc0d0231b58aba285d0c94b791c52d5380d11988b49d181ce8a99249e95f111133

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
80KB

MD5
53e02eab246f893e1347736373060f12

SHA1
3e0da42bdf8a14052af31d48423f17e87918273c

SHA256
010b958c6d8277dbbd1c2936ef0fd1e7742f0506d3b0607860970e8b122163bd

SHA512
9fece97a65038341439fe332b8a558167f40d44743240389c5bba4e8bdb55b6e7fa5e3761eae1db8254765ee6b5b5271fb637109fbcc326f7639bded66be4353

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
80KB

MD5
99e39239c4092a57c5afc267c7924285

SHA1
2d816ab27a6bc1db123d9a017e93b3f8ca6c508a

SHA256
9ea05d675a01271ef6588e91e6786fce1d31e26f8a5e5610d0143311e77ef2e1

SHA512
eafefaf634d875d577810d4be23878e20aed44e4a04e0d029e44f83ad08e0607c6ae10068440a42b5c97b7d9ead8f7a8582868732e1d0a00600d6260f239f0f2

Download Submit
memory/380-370-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/380-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-142-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/468-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-80-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/956-427-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/956-89-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/956-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1108-222-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1108-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1160-448-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1160-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-116-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1228-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-241-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1292-274-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1292-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-273-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1492-382-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1492-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-381-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1612-457-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1612-461-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1612-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-305-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1640-304-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1680-406-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1680-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-251-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1724-252-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1908-263-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1908-258-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1908-253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-291-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1964-295-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1980-473-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1980-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-468-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1984-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-194-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2084-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2084-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-395-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2324-499-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2324-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-366-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2616-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-334-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2616-338-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2648-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-402-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2664-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-61-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2700-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-53-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2764-347-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2764-349-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2768-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-484-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2800-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-284-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2824-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-315-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2824-316-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2856-323-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2856-327-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2856-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-12-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2884-13-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2908-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2932-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-35-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3048-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-383-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads