berbew | a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
Size

59KB
MD5

4c8b5cf7aba014abd1e54e6686f9aef6
SHA1

88ae2f8bb5482eb6c87a971fb818c4afe2e2d461
SHA256

a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597
SHA512

7d3620ebfe0e94a8eed97724145101585e5a30506418b9028e5cf413c989a095ce1d3400ce5f212d3cb2094586d13edcceb10fce92d13b142df561d86916e132
SSDEEP

768:bgaWF264gfgyxUXSBd8wr2TpJVS9WqiL2JLcMHEpl8lELlb/1H5A9XdnhgPD4N:bgCQxU+d8wlbHEplPPi3h

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2176	Pdgmlhha.exe
1756	Pgfjhcge.exe
2412	Pkaehb32.exe
2740	Paknelgk.exe
2732	Pdjjag32.exe
2704	Pcljmdmj.exe
2604	Pkcbnanl.exe
2420	Pnbojmmp.exe
2876	Qppkfhlc.exe
2768	Qcogbdkg.exe
1960	Qkfocaki.exe
348	Qndkpmkm.exe
2852	Qpbglhjq.exe
2008	Qdncmgbj.exe
840	Qeppdo32.exe
2908	Qnghel32.exe
832	Apedah32.exe
1832	Aohdmdoh.exe
2424	Accqnc32.exe
2208	Aebmjo32.exe
1276	Ajmijmnn.exe
1696	Ahpifj32.exe
2384	Apgagg32.exe
3024	Aojabdlf.exe
1556	Acfmcc32.exe
2796	Afdiondb.exe
2428	Ahbekjcf.exe
2720	Aomnhd32.exe
3048	Achjibcl.exe
2832	Afffenbp.exe
2804	Ahebaiac.exe
592	Alqnah32.exe
2056	Anbkipok.exe
2536	Adlcfjgh.exe
2508	Agjobffl.exe
2784	Aoagccfn.exe
844	Abpcooea.exe
2896	Bgllgedi.exe
1816	Bbbpenco.exe
1916	Bdqlajbb.exe
2904	Bccmmf32.exe
1892	Bniajoic.exe
1564	Bdcifi32.exe
2860	Bgaebe32.exe
2496	Bjpaop32.exe
2472	Bmnnkl32.exe
2204	Bqijljfd.exe
2572	Bchfhfeh.exe
2244	Bffbdadk.exe
2844	Bjbndpmd.exe
2028	Bmpkqklh.exe
2928	Boogmgkl.exe
2676	Bcjcme32.exe
2716	Bfioia32.exe
1576	Bigkel32.exe
1080	Bmbgfkje.exe
2880	Coacbfii.exe
2788	Cbppnbhm.exe
2996	Cenljmgq.exe
1468	Cmedlk32.exe
776	Cocphf32.exe
2560	Cbblda32.exe
2200	Cepipm32.exe
2548	Cileqlmg.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
2176	Pdgmlhha.exe
2176	Pdgmlhha.exe
1756	Pgfjhcge.exe
1756	Pgfjhcge.exe
2412	Pkaehb32.exe
2412	Pkaehb32.exe
2740	Paknelgk.exe
2740	Paknelgk.exe
2732	Pdjjag32.exe
2732	Pdjjag32.exe
2704	Pcljmdmj.exe
2704	Pcljmdmj.exe
2604	Pkcbnanl.exe
2604	Pkcbnanl.exe
2420	Pnbojmmp.exe
2420	Pnbojmmp.exe
2876	Qppkfhlc.exe
2876	Qppkfhlc.exe
2768	Qcogbdkg.exe
2768	Qcogbdkg.exe
1960	Qkfocaki.exe
1960	Qkfocaki.exe
348	Qndkpmkm.exe
348	Qndkpmkm.exe
2852	Qpbglhjq.exe
2852	Qpbglhjq.exe
2008	Qdncmgbj.exe
2008	Qdncmgbj.exe
840	Qeppdo32.exe
840	Qeppdo32.exe
2908	Qnghel32.exe
2908	Qnghel32.exe
832	Apedah32.exe
832	Apedah32.exe
1832	Aohdmdoh.exe
1832	Aohdmdoh.exe
2424	Accqnc32.exe
2424	Accqnc32.exe
2208	Aebmjo32.exe
2208	Aebmjo32.exe
1276	Ajmijmnn.exe
1276	Ajmijmnn.exe
1696	Ahpifj32.exe
1696	Ahpifj32.exe
2384	Apgagg32.exe
2384	Apgagg32.exe
3024	Aojabdlf.exe
3024	Aojabdlf.exe
1556	Acfmcc32.exe
1556	Acfmcc32.exe
2796	Afdiondb.exe
2796	Afdiondb.exe
2428	Ahbekjcf.exe
2428	Ahbekjcf.exe
2720	Aomnhd32.exe
2720	Aomnhd32.exe
3048	Achjibcl.exe
3048	Achjibcl.exe
2832	Afffenbp.exe
2832	Afffenbp.exe
2804	Ahebaiac.exe
2804	Ahebaiac.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Mdhpmg32.dll	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pgfjhcge.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Aebmjo32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Qppkfhlc.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Pkaehb32.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Qppkfhlc.exe

Program crash 1 IoCs

pid	pid_target	Process
780	2836	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2176	2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	31
PID 2024 wrote to memory of 2176	2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	31
PID 2024 wrote to memory of 2176	2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	31
PID 2024 wrote to memory of 2176	2024	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	31
PID 2176 wrote to memory of 1756	2176	Pdgmlhha.exe	32
PID 2176 wrote to memory of 1756	2176	Pdgmlhha.exe	32
PID 2176 wrote to memory of 1756	2176	Pdgmlhha.exe	32
PID 2176 wrote to memory of 1756	2176	Pdgmlhha.exe	32
PID 1756 wrote to memory of 2412	1756	Pgfjhcge.exe	33
PID 1756 wrote to memory of 2412	1756	Pgfjhcge.exe	33
PID 1756 wrote to memory of 2412	1756	Pgfjhcge.exe	33
PID 1756 wrote to memory of 2412	1756	Pgfjhcge.exe	33
PID 2412 wrote to memory of 2740	2412	Pkaehb32.exe	34
PID 2412 wrote to memory of 2740	2412	Pkaehb32.exe	34
PID 2412 wrote to memory of 2740	2412	Pkaehb32.exe	34
PID 2412 wrote to memory of 2740	2412	Pkaehb32.exe	34
PID 2740 wrote to memory of 2732	2740	Paknelgk.exe	35
PID 2740 wrote to memory of 2732	2740	Paknelgk.exe	35
PID 2740 wrote to memory of 2732	2740	Paknelgk.exe	35
PID 2740 wrote to memory of 2732	2740	Paknelgk.exe	35
PID 2732 wrote to memory of 2704	2732	Pdjjag32.exe	36
PID 2732 wrote to memory of 2704	2732	Pdjjag32.exe	36
PID 2732 wrote to memory of 2704	2732	Pdjjag32.exe	36
PID 2732 wrote to memory of 2704	2732	Pdjjag32.exe	36
PID 2704 wrote to memory of 2604	2704	Pcljmdmj.exe	37
PID 2704 wrote to memory of 2604	2704	Pcljmdmj.exe	37
PID 2704 wrote to memory of 2604	2704	Pcljmdmj.exe	37
PID 2704 wrote to memory of 2604	2704	Pcljmdmj.exe	37
PID 2604 wrote to memory of 2420	2604	Pkcbnanl.exe	38
PID 2604 wrote to memory of 2420	2604	Pkcbnanl.exe	38
PID 2604 wrote to memory of 2420	2604	Pkcbnanl.exe	38
PID 2604 wrote to memory of 2420	2604	Pkcbnanl.exe	38
PID 2420 wrote to memory of 2876	2420	Pnbojmmp.exe	39
PID 2420 wrote to memory of 2876	2420	Pnbojmmp.exe	39
PID 2420 wrote to memory of 2876	2420	Pnbojmmp.exe	39
PID 2420 wrote to memory of 2876	2420	Pnbojmmp.exe	39
PID 2876 wrote to memory of 2768	2876	Qppkfhlc.exe	40
PID 2876 wrote to memory of 2768	2876	Qppkfhlc.exe	40
PID 2876 wrote to memory of 2768	2876	Qppkfhlc.exe	40
PID 2876 wrote to memory of 2768	2876	Qppkfhlc.exe	40
PID 2768 wrote to memory of 1960	2768	Qcogbdkg.exe	41
PID 2768 wrote to memory of 1960	2768	Qcogbdkg.exe	41
PID 2768 wrote to memory of 1960	2768	Qcogbdkg.exe	41
PID 2768 wrote to memory of 1960	2768	Qcogbdkg.exe	41
PID 1960 wrote to memory of 348	1960	Qkfocaki.exe	42
PID 1960 wrote to memory of 348	1960	Qkfocaki.exe	42
PID 1960 wrote to memory of 348	1960	Qkfocaki.exe	42
PID 1960 wrote to memory of 348	1960	Qkfocaki.exe	42
PID 348 wrote to memory of 2852	348	Qndkpmkm.exe	43
PID 348 wrote to memory of 2852	348	Qndkpmkm.exe	43
PID 348 wrote to memory of 2852	348	Qndkpmkm.exe	43
PID 348 wrote to memory of 2852	348	Qndkpmkm.exe	43
PID 2852 wrote to memory of 2008	2852	Qpbglhjq.exe	44
PID 2852 wrote to memory of 2008	2852	Qpbglhjq.exe	44
PID 2852 wrote to memory of 2008	2852	Qpbglhjq.exe	44
PID 2852 wrote to memory of 2008	2852	Qpbglhjq.exe	44
PID 2008 wrote to memory of 840	2008	Qdncmgbj.exe	45
PID 2008 wrote to memory of 840	2008	Qdncmgbj.exe	45
PID 2008 wrote to memory of 840	2008	Qdncmgbj.exe	45
PID 2008 wrote to memory of 840	2008	Qdncmgbj.exe	45
PID 840 wrote to memory of 2908	840	Qeppdo32.exe	46
PID 840 wrote to memory of 2908	840	Qeppdo32.exe	46
PID 840 wrote to memory of 2908	840	Qeppdo32.exe	46
PID 840 wrote to memory of 2908	840	Qeppdo32.exe	46

C:\Users\Admin\AppData\Local\Temp\a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
"C:\Users\Admin\AppData\Local\Temp\a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\Pdgmlhha.exe
  C:\Windows\system32\Pdgmlhha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\Pgfjhcge.exe
    C:\Windows\system32\Pgfjhcge.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\Pkaehb32.exe
      C:\Windows\system32\Pkaehb32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        36⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        68⤵
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1268
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        73⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        80⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        86⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        87⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 144
        88⤵
        Program crash
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
59KB

MD5
329b0cc31e20382dda0a0dd65c22789b

SHA1
1dd34b5ab1b8fdde86e24626f9c03e29ee8b6371

SHA256
13a7ce5f51b958111d9573aa44ad6e39670ed387184b6f431abf45dcfe19e41a

SHA512
e615909f72d3c392a3115a96524a5cd8773e0fb1779742173b950a2fca83b84893a93169c13f2bacea4f74eb4608ba8c098a977edd9d2bfccb49f631ffff9be6

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
59KB

MD5
03d2e871f271ed0a50dd640f5c53a92f

SHA1
401d78377ba9337d05a5ba0a07c38dcb116cc197

SHA256
f64e7eed17b7b63782a2e1fcd31fa745a1b7c49666af271c813cc286ef220dc2

SHA512
3508544273da15160f63c48f13186f31d9541d0abe71cc8783c7dc9da46eeed3a06fbb8c83e8ddc85cb138248c9939d3c3b91e75989cf2aec73ca5fac1896f48

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
59KB

MD5
eead4547b7d838acc8382998c01e6566

SHA1
5478cc05c1ec20d01400e4c7f9a012cfedb08974

SHA256
260a8538a9696c438fd1c8c49d1beb7a76d840769dbcec340d21c063122f4178

SHA512
dc2c891d952827f1ab2b199020b07099a9bd57a7f5b670b98d6b056828f2b8f9bf543383093a8b489812a2cad78aa5ef00a5cca05faf7b8aad3b73bc4fa95349

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
59KB

MD5
06e39a7084bb55de6cdf9b5a4f5036e6

SHA1
3b8eb43ef83c24b050ac4da84403a0225795fdc4

SHA256
2a175fc5872eafbd3a92a4068a726b4cd23057af44b75e9a869f58ffb8ad3d0f

SHA512
4eda68f8581146b8946c2d1a00de85c1e07a190cda9f4f5f3f73aca92ecc393a6c7e712dee9102840cb50965096bdedbd5ee31ec192b061407759c6d9531d0ac

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
59KB

MD5
bbdbc495f8941d4d424fbc0b62271276

SHA1
8f916796d81d70bd20bac9fec41ef087c82597cc

SHA256
80a1d5a8aea5fffa3a00fc197814daff0c83b1abc553f560ddff6d1bfa5231c9

SHA512
4a71c9ccdc8eb9f49490826285d681a6b8dc695f9007cb767c29c017a7b3224409083fb315586e129d917ee5e45e5faee83083baeff00960fca33bc34abe86f4

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
59KB

MD5
e9984d364c90ae55789acebe8e65f211

SHA1
67fdce07a75fa2847d69ed87e86b6e7b508d16b5

SHA256
e7961a9981addc78ddfee687801528e0f8a2637638ef3182615844b8309aaefe

SHA512
ed2c23a6fe6ae7f8a3459aa788cd48430a733772fe5d800837908073578385465ee776472e012eba5063567305591d9eaab56fd92b8285389cf2f17c22b4e2e9

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
59KB

MD5
d7c73b505d1b5a9128fd390b742c2bc5

SHA1
dc87f9f66305966783fc2be8f06b668e5f9a48c4

SHA256
ab3c214b640801ea31573f1a17b425e47db0e553a8987aac762515121218ffd5

SHA512
b6d30494a70a00f3feb64bd396aeff8dde04e4137c67a8a2a9832764843c7339d3fdd17f2606a200fba3c6413be15b417bc5cab4bd4dce09bb4af012f59b8431

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
59KB

MD5
2f0e620454494c3c8ec81dc5f1f98278

SHA1
2b1f5863cd3106218fc8b30c4f910a66ade09af4

SHA256
79fdb97c573333d9c804c2506cea7a5ccfec1e3c0e72857795601cbb255c6014

SHA512
ef8e87f38501a7af34dec0c3e4f3982b3fcb8b7f060338c047744637afaaeecdf1bdae52c70871c64857db7137b2b688810eb5727660587771e40c2ce9ee0065

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
59KB

MD5
b711e065ee1976fb5b355a088cf92d66

SHA1
b6ef265c808a55a03cdcb362fc415bd55d6d44b6

SHA256
64e72d9e7a7c84c4bb21b9a24b247a44e3d1a5c7358de6f6bd1d27d0a864e2f5

SHA512
7c7b314944820dffe83d31f179bd7bb24f267fcc482cf96172c9c4e3d6d939e761bff9573ad4299c0d289fafe7d7de246f1eafd70e3de5632989bc9b64f1d7e0

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
59KB

MD5
37752d23d2a9fe8b560d29cbe710ed26

SHA1
4c8dad5d1e65115ed353603e3dd0e7aa15bddd84

SHA256
a8a1f873f93584ce4a600717094ca831a90d6d7c44121ffb832d025f2f16dac9

SHA512
c2f5c209b2e9d144d0433981e6fbdd16e0a2f12095d6fe983a6f4ba7505482570fbcf9cfeeed59bb073f343b482dbba42aa3b6a6bdfec8db6c94cb2bb6a3749a

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
59KB

MD5
e390fa5d97fd9b58dc743c8e0e35a528

SHA1
3de227d77b264a2115a133f4044de944b8ee359f

SHA256
ead97766e6a8f7abe0f4157c3188e9eb12db8efb5cf416211f80d6de48c011cd

SHA512
a2599bf432864dd44e419e11ceaf01b3014627dea23b4a269dc5b1e6b03cf4913679069227f9ce2393f14f0d8fd9edd736d06ee4fefe35ecd1c5d7cc4416993b

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
59KB

MD5
66faa601cd295618d13fa6599b18db65

SHA1
87fc2806f59f595934e73fcacadffe5617539835

SHA256
a2d92cfef114cebe29be0c14921e8745d8f8b8b2b9f7355894990b7c276114e2

SHA512
58d6b8e489150d2384e495e1531c90c6b72d113ab94a437ea42e517e122e8501a6a4a7e353c770ecc8d0430d8929d45c94be4cbed1e7a92c1ae8f2469165ce75

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
59KB

MD5
b855ea6bde3e1d579e04546c70c7b355

SHA1
a11a3c25ea92ff7671aa5e64ecc0a1b293b96e77

SHA256
13fb7fbac0ab6d0ffa26f0f004bfc258c5fea860517c2e18e7983171fb20d254

SHA512
658b3b900369eaa618f303d10195f5d0af924e044fbd4ed8a60ccf51c5dd1e0ac6438f2ee9f734f2b99bce4791ab34a036321c7231021458290bab07c26ef762

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
59KB

MD5
8ade5aa83ba95794f834a0cd254482cf

SHA1
6b4333ccfbc7472ae55b1a539ce858c912ba63ac

SHA256
34c0ed61d5e3940f67ea93c0d70c56591630e8017dadddd0e968d562f3406d85

SHA512
93a1758d30201aa4af9ecac889e4e94e2c0983fc34a81d36306fca43296f70d9ebf7b7febb61deb76d9c76754e7e9e8645366bf4735b75d0e5363e84c4cdf4a8

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
59KB

MD5
b4b07341acfe488b502e1e5bc21af3cf

SHA1
9020549a583ec4623f3b481c73af05ebdf5cfaca

SHA256
a5c9cd6a5a545c9c45afc89b90a41ff52f69b8699be51d83c26e85275603c00d

SHA512
d15a224dee24eb4e3eb56203bef162de8057d692108c99fa3690b8676712a2e0c1b7d836fa62939f8bfe6d3e0a1cd49e36e5ee5be492f394dbb5b3768fdce749

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
59KB

MD5
53b9e6864f53dfe604ad769152146f99

SHA1
9fe13b37995d13f4a248c9067a973664a647a21d

SHA256
acea3230d42b2fee2d334865d0cc92a97315e7adb4a9edabe46cd60b00fc93b0

SHA512
e1b8a7ad505048b1277ac575ada417a04d659b90ffad9ab128feead66c95e49edb7b2e15c1450ecbeacac22e4b5955fd1a1cd216762e8b1e918d5cc9d18a0c72

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
59KB

MD5
f8a11f3fdcbd2194656a78bb799d311f

SHA1
9979eba9eccafb43240b64e81d95ab6815a0da8a

SHA256
04afe39342073871d30ec9d966b79eaf5fbdd3494bfc80ad071a96c6c33e4136

SHA512
5dfc9854851b1758e56d2121851bbdaae2f24c92794ae9273d337030a6c67330a83ee0c5ae02b0f340c38efc52437e9ab58d32fe92a426310d56a4e1db89b365

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
59KB

MD5
4bdc9c8c543cc6aef84ee7664d313916

SHA1
89d26ef99abdfcac3b5f7499f5760e079e4ce04d

SHA256
2b79a97b591c7e998d0744e01aeb4297192e59c11bcc91b2c88cb5d6ed52c6d1

SHA512
25149ffc2477faa01c404e0c42464bb1de5c98e262ed5ee33b0d15d3357eb69bb0cd0b6af422d13235fcf78be6d4b772da6af282806b5c2dd5007a104e2b00ba

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
59KB

MD5
4d7e1d329a5850c08874f8fdbec36203

SHA1
fdd628c5ea487342fa1d511ea2995ed4f87a9e80

SHA256
b79762074f9e2beccf61092f4b25fe08f312c520ab6121ddd11219fc549e2d4b

SHA512
f3bfb844e0dead8aa3ee1da111001126d3a708025f5913c12555599feae7d62a32cb2a2ef6f05bd8602bbe1ae3cfe8b4430b9769981c0f58268cbb7f95cd2504

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
59KB

MD5
1f26b57efcc794435cd6cd17969c1dab

SHA1
63893548b23b1015b3138ce7fbe232a313de8ce4

SHA256
e6c31a8816bb7f85e0400b38cb41aa9c81b58b61f9e194a83646349e5d29d1d7

SHA512
5ce8f4232ed2980f6a99defb3bb49889e1b6fd63231dd517d44d6e1128e2bf8c9b1d1070bc7ea6c1e8c2b9678c62703ad1c5ebf80c6223c405fe39bd40a20aaa

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
59KB

MD5
db973af2826053a0a9d047c081afdb6b

SHA1
e58d2ae8f02fe23e05defbbcdd3a39d1fe9740fb

SHA256
dec17959926b59f7bb1784ca3195ad519ad9704ca97b6ae93ae4940c09a808d7

SHA512
87af4f326509903c49892e3ebcff066abc8239b5be84aebb76613d811d4024b4c39908d07333324037785290aa736c0978e4265110cc5f22e585736de1c86a8a

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
59KB

MD5
4154cd283c97c5b7a7b110fe089bfdef

SHA1
312c7be835025c1f93fd45533f576a1de7bdae9e

SHA256
1e8c534e468ef2d3aced644a5c4332576fb753ccdee679803d43b68708a8e4a6

SHA512
10f17011cd42cca27e712f735006f8247d22d3c41d426569e0136ff27b9ea2654ee5383f59c8599e9b5d2d602b6c3d46015dde84db815dee28e360ab8c7549c1

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
59KB

MD5
8b93d3f23b703515f9c4256468389847

SHA1
46562a24b8813ac226194356cf759ef85c8090cb

SHA256
18b14e7fecf58a5315b2ce0c9acfde585a44d70f5f2797518664abd3e21dc285

SHA512
573e5550d91e17dbda2eb0401ef0199f9ce9c9fb13cc01afdf812b948695fdaecb0a50ed88f3fb4cb329811c7b824947610167f6641de23acf59c259c82019a2

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
59KB

MD5
793ba98c8cdccdcba71e6a511504e114

SHA1
f863d4721dde27e5bf134e04a022388beaee21b6

SHA256
b6247bdacb2cb359d0fa2833a492d89cc99e2a579a4f7dfc82165e62612b61fa

SHA512
7cfadbab526fb57d76a9f31ddbbdb045de9e0ebb69067ba71a80d188f7cb32245be175efdc9806a4030212748e1fb749aa85bf329c392d5be87a736f9b849c75

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
59KB

MD5
42a0aeff9dce053f3290271f01829b92

SHA1
5cb0c456f7c3e1c5dd6915810e53eb02b73c3cba

SHA256
ac22bc55cf9c4bd7dae76d484c262d4eedfe48252fec0e1edcc34a1600aa0428

SHA512
f5208af24381b64433eed5466b73cb11950c51313ba082a92c5dc5ea4338771fe5639deb3374158f27fcfe9d403f178abf2f1c7cfcf6ba1771d1aaa6eef43c6b

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
59KB

MD5
4e42301d2962921360110cfeaf1504f0

SHA1
1ed6fffc23a9d838160b307a19e27625a9fee985

SHA256
001743a801bdada6fb864efc83b9d9badeb8609afd1fe193e436ba53d6dea8e9

SHA512
1f37800f81d84c9ae2182520ce4d70deac32fa24e429643006a2595ae7265efee228a3ac0d944cd09e9192a70af2ef3c9fc73961f8b556d00f776e6edaee7a3d

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
59KB

MD5
84ec3babad871ac0676a2d5e53fb40e5

SHA1
3730edcaf74e58ec746bd4acdb7ed8391a3e2b77

SHA256
f9d91350279240abfe789f5342c2fbb095578f64f16b8ecdfc948b2a25b65c98

SHA512
f997e9000dc8273f0a5c66e41765b022a1030cb5753dd52091033e7022eccf3f4907c8c16d7ff2b2aced9baddd075b9db06632bacbdab72095eaab1d1323126e

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
59KB

MD5
a629282e531f03fc08569d59f1ca0139

SHA1
966e0793c33ae0c4cee4749bd459e11aa2dd2f7a

SHA256
ce0730ae25e60a0abcdc8b8a6efb9c5cb0c75b77fcb46159aaeecea721977c83

SHA512
4983635f644c91f12ac1a15db4f1292f4eede506904aea6800a80c381e5cf9e38bc2b7d9e7f84a8347340fee8c1c6ebe2867d9cc818812fe274dae9719849a2f

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
59KB

MD5
8ec1d2639601767053e9f5fce5e9a316

SHA1
af6b59807517d61f4aed39b9f3c3a003f6093d64

SHA256
5964708543ed2b6ce424d76e4d096e49740196fed31217877746c01793f2d46a

SHA512
c6a76cd091caa60c661506f10daad216623ab6f02d7b6bd4f474f005857a2692d1fd1e9fb7ff2801c6e75d95172bcc2e2fde5b51801222a1da263c4bf9c43458

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
59KB

MD5
1b681c2e1cbc93f7f4395c5acdfdc249

SHA1
651633bcd5b139a57d016a3105a4fe507097c74a

SHA256
3c67b166584bc9e6c18e538f3189834e04a8ac2b203334a6d1b3eb98da10b473

SHA512
c761467be73cabdf56606d218a5bcd444f25cf8e630422034fe36ffbc24dcf3a943d841effbb2415ea4c904837942183160260fb6767e57e3c0c8157ff0295af

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
59KB

MD5
cefd429a88744e270e2ea4fe93b1ff6b

SHA1
db66c6bce10c360770fb78a2b6337df4e8986c5e

SHA256
8fdc6f081062e89c7bdd022505c675ef2b3b9063470bd71a5405c8cb94c8aafc

SHA512
e97f2faf8276206aa5fafbd2424bdf82fbe52a9a2124aaede9d78bdd81d226be823861975500fe38fab8fb9d1a990c7d7d64b9c4152073af655312da4f36fcfb

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
59KB

MD5
dd9d893aa94ed4cda9635e9e328765c1

SHA1
fd91bea8d9f69f0f4725d633d4faec4c4bf7cf7c

SHA256
a70825efcd890b3bbe94ae744186e7c7e9c47aa98a21c6ee6fffe1bbd51b0a69

SHA512
04cf08e48acd837d0af38b79a4e32bedd767e36d77a8968c75cd2d27e09f5993973bedfb3a2412bbfb005fe1f860e5e5e7c30d6e6234799d54e043532b4f006d

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
59KB

MD5
2a8f68d8481cb9364fd9c451e9e89180

SHA1
8a10ec2525c265c9301f0bda4c9c936171453530

SHA256
819c7f0455ee9ea18c4bb13ae5ac149092c3230ec7289aefb457c56c635202f6

SHA512
a3ffa160975fa1517b4dc59078d96c7af96eff009f8d5aefb729fbb3686723b766b604f930298d6585ecc46a25e15d7fe741d68d021f7e270b97eae7d80fbeb2

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
59KB

MD5
8ecf4c78d3852fd9ced14ce9df52c85d

SHA1
c0677ce5bc2b05528be028e2a8483f1806df4031

SHA256
eff9b481ae5ebd0f54c2d86bedb764706652f1851c0a54d4944681322661d29c

SHA512
9803b0da57c6fbaaf6932b8e65e3b49babf7f307ad18a8a75a089afa793a0d3e96e7c5c2e83d56442c0017d1143ad93df771b87a5db34eb6f2a1cd94ed999146

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
59KB

MD5
df0422a9016bb6f239d1b31f0d41799b

SHA1
1a3de6fb4371856355e7b8f14b604012947a6fb9

SHA256
949de5c2cd98fe7d2dd15007c14f2f9760b5bb40ec3119e7a6e58189cddced42

SHA512
f1019221ae08f55d26c23aba0676921bf5cff540796c1a8827487cea007462c8cc92d6af5ac48b0b4e8c2a12fa9de2ca2058439c9efe60763f08005e6935c0d8

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
59KB

MD5
7ddf8d1717bc5e496e099ccddba9a514

SHA1
0b3d4984f788f60f9b70232cda5e3b6b54cfca25

SHA256
26aa24e864a93a32fc73b00102d6b9bd7d9b8bc3b9351a6f8acbbdf3d7d62d7a

SHA512
d124db23963765eb0e8499b5d41eb182ec31f9b375353d4a30776620e6a609831cb3eb4cff97f872bd5e16770d14510caa7b3a3e6db899e29884896767fdea4c

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
59KB

MD5
8090a44373253a6d16d1465062fd6edd

SHA1
d8e24efd1eb5203ab5b70fc84e36f5d28a7557a4

SHA256
d96544766fbd4d133f5380e39dd99e87d4d0d12ac51e737e0d58215629968386

SHA512
e3658f1d95b6c917add3443d07cf8c2f2fc7c9de3b2306975cc8cb15928b64215afab16594a9f7dd4c2c398cab3d76d8df5b0ba7155c2aeeb809a859c0734631

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
59KB

MD5
66074eac3dce9a1db449829e654ab01c

SHA1
d7de88f82bfcbba7680d5e6b85f1748bd58a41ac

SHA256
c70d9a1bda3804a90fa2a9b74e3e8cd7bae811e40c32220baa83a6687dc054bd

SHA512
da80f840ed560cd8fb3338b44f86e38048ae6f09ecbd74d6d3edbef0fcfdd159f8ae01adecfa322a106f498b85b38e1325f622e0aedf9e57574d7293e26beca7

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
59KB

MD5
d770018c832d1b1729762ccfade141ec

SHA1
7ec9c5ea7a6c080a179b861016e4ae09e32d22eb

SHA256
3245f252bee5daa99efa10bbcc1a97822962ac6937fcec415bc8791873478051

SHA512
f8dcae27de0025abee5d361fc0396cea42ffcf50ca26152c141d068877088233078b5bd3cb9f68ca3a1a8170aa0e4e0aef8f3ffa92ce069434b33eea0c8352ed

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
59KB

MD5
0864e58284e574d07bea5af1de8f9993

SHA1
d63fa7487c0ce80b4e7157e19e4bc2ad7a9d2afe

SHA256
8c9e44af84f0429caa8e7492a83901d28b6af57b1d2f05314445a806caa14eb4

SHA512
0fc46c7ab6dd3c22290c3191757a4df07ed8cf37b4fb67e04ed567540217a8f0250a9912b0a86edf34fe65ea493d9f3e274eab785137af50e4a79d833dca7100

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
59KB

MD5
203e9c746259128b256207f1c1eb4462

SHA1
024d9cbb34ba6d6048ebfbbc8afc295f477ba0ff

SHA256
82d87728ef576887cf793eddffc7f29f05d18cd4c6c8189f5b4f1e6dbf42e400

SHA512
9f3a7753f09310f7f4af8e84b40a5f18635560aac3a27d86269aa507855e5a7f6c559f7d4bab5dc04f92e8269bc45bc51df921002a52b6a926fe343351ceb982

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
59KB

MD5
fa9e0519272d9d3445c46ffb688b96a4

SHA1
f8c36179419110738d77af871ebc4c880811ed98

SHA256
5d4109738623bf928e6e525bca599f4c035b5ff05f95ae80d9763365864377d3

SHA512
6bcea973cb2f98ec2000cb384229cd9bd384cf2bdba77b58e389f0ec256c899d0a5ce068d67e0a6ddd8ce7415fdd9cf7939a82cc4e9050d6855f46b1d4265a7f

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
59KB

MD5
15e76a43d86367fe956bb1bcb81bbb65

SHA1
04f00b711d8874ec6c70bdc27ce9073f1be9540c

SHA256
bc5fb6ee42db83c9621b291736af24b71aac3691a4556a871cc713d15c1a1ece

SHA512
ef0f1aaf53c40b41f2089aa96797a7f8dc22c0dd0b7be690804f2a94bd159a954ab4c05ce63edca8b10b135894c2fea4bd11f20b62ee718cbf3add599600e7e1

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
59KB

MD5
826fe67edc743a954fa5ed5608482dbc

SHA1
6d7b71d3fb62333afffd3f496116b83325dd6cd1

SHA256
8d3dc6826e7641a69ff9a52f089a161adfb6e3421b01cba305d7eb718540fcbf

SHA512
fc3be02a32af8c2240d9e29c9070066bdd80c1e4331543742bbc6cdc472d02b25fbb6af76deeb723403c3036b0d69421ce556b56e611305c6b1dc4b2c6a8973e

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
59KB

MD5
813288d155a26ff2cffd3989eafd204e

SHA1
773648258e416193eaa46e12fa4835d26f955e8d

SHA256
2bb8e945e1684decf923332f8631a2f1a19ae526540c46bbff3c8c1c390ea35c

SHA512
28a1428dd9b0fbb74527fec933928c957c541b8e0bddb4ec5ed3a580ca02dd416322139aaf605c456409fe90b7691c42ccbc6cb9e274ef8ddb823284f37d0eb4

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
59KB

MD5
2c405851ae4655387310a19cff625f1b

SHA1
18cc3af4145ecf8c3b1628ab93372b0181ad5c0c

SHA256
e08ae9fc005f7b267a48eeda124a69ec13e2a74d0d1618f2a168ce95860df85f

SHA512
74e5f9ca028588deca02c95bcbea52ad60b55ff6f3178bad99a54d2afb8c403165846ebf341a6cd028cd917f8852283f8b95a28d0d911382033279b2143a80cd

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
59KB

MD5
28800a9704d5339491f2c6afa454217a

SHA1
f593a8867e57724d69d15b0b254e5dbf8dc7d0dc

SHA256
d811c92caaa1051dd36034e074cf762ebb29b2e343f6ac7f2db4121986fdcb82

SHA512
7d4eaaa6b30925be75c8c1d4a7499713a639b98251220bf058bc7ba6afb1eb51471399cf795c46dfe2c0d3388dcde5e4a95909a402f904c1f45f12afaf893222

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
59KB

MD5
c113979494d0d4b5efab67bc22a24287

SHA1
805ff6d507a448472580d3df045c3b600a4449ed

SHA256
4941f3f1e31f134a62d76828dc08fc6b2b12efc873b2653ff991c3ce75c3c4bf

SHA512
30b5bca9cd16f24600e2eab23c4011d1157356e78072fd8077d9ff1a30be8ab790cb6dc86835868055e567f77a0c55b2fb6402405e56819fc983e63a998e234c

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
59KB

MD5
ac3516e966aba869ec398af68fcd595c

SHA1
4e4ac07e30863c3a936b8e9f896782863d4d7dbf

SHA256
cce698baf3aa92e6ff3e71425a261c72a791a49f5385edb7f2b8e90fc2c055b5

SHA512
49d15c1cdb6a4a3563506fafb378367895eef6114ad80cc315e655d391573d997e4fe2e7562648dd91e938f153f0b4afc46848945e9096d66778b82b6554ed39

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
59KB

MD5
93b4fbc8863417e3b8c1416743462088

SHA1
d8d38c0cd64a60f93ad15fc1eac74203f0bd0ffc

SHA256
326877c4e978bc7f7a4aa7cf7a61209dff08403686280e6c96139c6bee7902be

SHA512
3a95b84af4d8ea11ab037753fda4ebe478a865774d6c101960986d6b69a6c7c684d134c9bd0eaf423afe064a864a1090e6028ea56c5cae484177297f00f41c37

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
59KB

MD5
f1b225f7e9fe5ceae260ebd73ec11147

SHA1
fec8d488bc2e41794ea8140db07ffbe3b4e16e72

SHA256
a19e80e18b4925ec5112cf80c259f3e34be516079010c77bf5a60496cf2e8682

SHA512
5967bcbc5e707f96bec833b85eb757a762aa127f8a82840cdedc5b60da983a087b2110e319cb38118c5e38884d984a3782f84fcaed42f535d5b2a910478511da

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
59KB

MD5
be27b1f51c9c0531d65ebca1db51ec17

SHA1
4be6066a5fd7e00dafe33b76a2f76182259e5714

SHA256
278dbe953721088db6b7e24bbfd4edecc19d067e2c0cd67901e4f726889c9916

SHA512
b034c16b5f022c9c593d936ae8b1e4427fdc02d36dc194770b28c64ee1013cba317e96a37c1ba4f43be1599137b92b2cd508c487248c60a8f97fc85c0ba87f20

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
59KB

MD5
2bba0158f20f1091fa64de84eae54040

SHA1
d26d30e600d5d935f8a34a65b580d05232d6e664

SHA256
308a1f97a6caf21e53c830c311b50c61e329f061cec6711dfe45456b29a9f71b

SHA512
48a066ef8e47ac537f7ac9bd04960e926f5be65a4a14582f49a7ce7f62fd0fd4719dcbc1f5bf11d352a746e49bad3586632694db9c7590d07a7a604edc001545

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
59KB

MD5
bd373c7c678571ebae198c873b87a506

SHA1
761cbacfb18f7ccf5e94195af0fd911ae457d276

SHA256
65038746c2f11d38c82d8e586618e24db53d762defa5f1e3c65be77c078b5418

SHA512
3859c192868eb418aa66543abab8e2d772f9a1898398af4d6627f2543619254c0cd20a1693a94c697403e87c03f88a055b267e56b279bc39f70e63b3fbc08677

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
59KB

MD5
f901fa0d762b0426df1738c6fb3f6192

SHA1
59073e79b9cfd584b1f4b4143dfedb0d100463a1

SHA256
f945bf7ec3558db7c4d48799e25580da1289b5f7a6e35df1305ff9381bbb164a

SHA512
9e182cef19700ba0b98d168854e774613ed749214285666b051195da38c080476d62f34b71dbb57f4f2809f1c365f5e626bdbda5efdf6eedb66fbc196163dd96

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
59KB

MD5
26ca35d8769d16f1fd11d4016d22cdff

SHA1
8de8993a29929c4779ddad8e26a8c59cfa4d7d73

SHA256
e653d653abf76332f204cab0e7dc5a9ee4eae09a8536700145923ca64921f45f

SHA512
0951991f81e7f01366def54165f2bf9ab27f4bf50faaf475f118686b1302a8da3679a2dba4b5fee7a681341a3bfea8ec5717ba8c18c314dc2411f2ccf7067e93

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
59KB

MD5
86871816e3da2589f789b5f898b13a8b

SHA1
ca2a7fac9c9e9747541d3d3baae214852178eee3

SHA256
fce3a34014b45bc11dc36ca898bd66a5f583c5d280c36c70b2eace8cb14503c1

SHA512
86d0346abf9e3dc0b4f208bdc193938d4b4745cb0a232d82b64ce646ba74dae6a47a9d2b12b5b128c151ec90e58d746a47b703dd2cf039727762f062a471e011

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
59KB

MD5
13cdb840e4aca6893337030f404e7886

SHA1
f3a9483908f4f5dba596c722611fedae11eaa5c2

SHA256
5a3bf4fe1f91a083f1ca5b88147e866bcb19e99c3dae7f514c96614b825b661e

SHA512
748996f2e9ab45fe6b1706539479127d92ead0d03698303e51ebaae3937490be0d19d09d83f70d6cdb5c2bd92a793f30aaae3ab7c8998a1ab7901365a3f3982c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
59KB

MD5
82ce0c3d52de38875a085015bbad1cd5

SHA1
716fa0ba6f47ab4b44b8cd5a685389eeadc1d5c8

SHA256
69486101e603462524376593dff371fb8bd1ccdbdca56e0d3e29d62ac51bb78e

SHA512
3c0f90836f9795a985592d23aaaa01463d186864ce6a9e7ea44516f78646dc6f56221efd5bb2eccd3457f1212669e2c2d18b3f8994746751a0f98807c1523baf

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
59KB

MD5
a0c4f32eb112c1dd76ba0aa931cd4de6

SHA1
50f9a482c32233e04f3cf16253824ab53dc9af0d

SHA256
5d0d98a30ff17ef5cf87cc799d76fc7b5e5e0f64b62e1d049c8927c20fbf7528

SHA512
503180a4ab679798e3367af9debf1da65513ddac5fbae4ba3ea1689e8af432fd3e70aaa04ac00f9349ce254198effb5d2fd93da2e9b2e54d71baf18f17616dcf

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
59KB

MD5
e1f8fa28999eac99d4076f47c3920f6d

SHA1
0e269b36ff15ca585169a77772f3157be8559f31

SHA256
af73efe378ff77c084543e5762ce7f680dac3dccbc4b4686af61ede97a6aa5bd

SHA512
608ac6ac87ebd8f6c364e682427bacea19773265dc33208b6ededd1a4a5a49953cd6c71bdde5d7d5a4ff84ede79f3b0a4fcf02f1b4afaf7d6dda67fece295b00

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
59KB

MD5
71907caa16663a0204b747688212d4a9

SHA1
5b27b2a55463b166fd61b35fce204a82c065fd2c

SHA256
35b12eb2b85c8a533c1458d6430be5bf77aceba23a2d01d47c886a4ca5ecc6c2

SHA512
0e1d7bc3af476d26997e3050364458d6056927eb5add30ff072657c454513500295b213426a98ad0e03bb933a8fa8ace25a1e425549772421947f6ebbd57cb20

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
59KB

MD5
560f5675a9e7441b039a3e2d70300d3c

SHA1
a2126ad881905859b1fd501942317af7272d8db7

SHA256
39110d997c8ebf8c60a94c9541ff908e6dad903e46d409a2a192facedf20873d

SHA512
5ad7e1bce7291f344bba0ce3a82456e0b35b02b4cf57963617fd442efc6e6f1d54c1957e6f34b9d45b6d5bd4ee80d267adb508834ca157be92dfca80398558de

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
59KB

MD5
b5d653cb127a76e096e2a4b4b3bbbdaf

SHA1
e50ba908ab7dbd4c8fd3772183fe2896f229cf53

SHA256
b2c53c95fe0f7ad86633e3faec1f46007833ff55af8023260fc86bc10b06eb3e

SHA512
0570b9545481c42c0a4a598204ef0c4f22ec99f7c21cd76bfeb0b3d4e130bbcf7d7107d0ca5d3995d42dbcd16e993cfb03b67a07588f98b0612cf6997a0d28fc

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
59KB

MD5
12d086a92a6860e6a4d4ca3661b48c70

SHA1
7f2c305b806499ec1098701304088a255f19f40a

SHA256
9099a4b7c8171bdda386cf88020d807d9684b452dc92a5fdccd5e599ae0c81e2

SHA512
df53e6ec741156cb5a3ba1e1138138f34fb1cdf8ecd2846dec37c437e2e9ce16ffd5aa98aaf12bf01f0439e4258b9e4d99ebbf595a746761b67e485054cea17a

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
59KB

MD5
08fd84bc8de65d23f4fbc8f5de8d2e17

SHA1
fa833f3c9e576a06e4427894533930765488f2aa

SHA256
797b310b74526f2930310f5a80b8cfc64bbe3053e735179716ef9376bddcf658

SHA512
abd55b760952162928230e0399d58524c9fa70a601587b247960ffb81a75452fab8cfce41209e7c9e2868c28f2da36f84aa1e8be86a206df8ac4b95b713baa54

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
59KB

MD5
5c3aef5d79cde6f7e6ae8ae3607eb2da

SHA1
487196ae00e89356621173fd04a7bd0af7d484b5

SHA256
5a18d1ffd30cd6f10600bffcff72060eabde5790de92acb9bbd9974b95a8e809

SHA512
8ea92361c2e7b604fa465095744b705a867c2a63080598cc053f334e8cc41f163a695621a9e4dcc02362fe605460d97a8e81c4ed1d01582de2fb761763a3b731

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
59KB

MD5
a7a8511c36d21a0aa6e157aac13f5b19

SHA1
6566b75317aefd3257e31e45e09ff7fd046c345e

SHA256
0eafc6d65d27bf397b4a67981ef22cdd8387ba2c15fd74a5094f5e44befed53b

SHA512
2cb4027d68e567a74a7d92ae6b87d598ce41d4d8aa24cfc57c5e08ac475a4de6362578df0b625b11149aca69f77e264ac49fe1a32b3642e9efd2a8520ca8516a

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
59KB

MD5
b9ba87f6c28aa1baf1b2d31abc149dcf

SHA1
1b33467590c708c183c7e5e0b478a0cb629ff9d5

SHA256
e2964aaed91b958ba36d9ccc5ab77a17a330d6353fcf7dcb1788f69b6b5c0f21

SHA512
34336f1e858c42d9db1facf2ccb17dba3b4c3abbe9bc5b69c1d69e56457ccab0ee84d637c037dc83973141d88048affd65f427f6689db55a06676f75fbfd8158

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
59KB

MD5
a6fd40cd49187326fa620b3360634bce

SHA1
cbbef5ebf99659bf1a811949bc357a66da8cb757

SHA256
adb3194b3ab89530c1842c28c23729dcb75f38f06530113c4d46aa2001d432a1

SHA512
4fcf20052ec8458975dd08949160774e83acd0f7922720fabed91c70f52a9b91575e901b1f9974b8affca6d064ca3997ae20c5f0b97ca6ac7108d10d336fc5c8

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
59KB

MD5
9185e26692701fcd9bc8dcf03905cef0

SHA1
1d384c0a062bd5a8f0156689bc7b6beb24a9bfc7

SHA256
486fb8e7d8e68ec6d0886a89ebc2869d47fbfab1550e832a029bb165816a5df1

SHA512
e6380508cbfa706232e15acb3ee4920f571681bc3d79f6a9486837ee005b7ab64022c26b865bb1daa077ce7ccec59b844434625964b7efdd7616a5ffcc00a6b0

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
59KB

MD5
f0b30401b94ee9e09eed029cb689ee20

SHA1
5d57f5be78c15eb22dc095526a2434095b5b831a

SHA256
df233e2978a2cceddedbcb062bdf779554ec7718295309d6e168ac60d0d26a73

SHA512
d5b928cabfcc6d46c0c16ed92ec32ba1fc4260baaf79e33df286f1d6c4e7cfa00f45b70fac12796621575eba6ca6bc1b466e4686321b9d69ad71eb109f1edbfc

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
59KB

MD5
cea9bd0c2a0c7b155ecbde93abe8458e

SHA1
c7b0db91017586940ca2de6f1a6b1a2e8f5854cc

SHA256
bae448df766d7f34d540a64a19fed568ebb33dd6b7394c2b228a9a9f72a0de59

SHA512
4ebe1a9c69a8d6d3dff2e06737d2b0380a6c0b46487b5982f7d2a9dd5ce063f347c184cb0051c6ffb3e3f214919f45a005b92fb30940b943daba8d130f81b034

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
59KB

MD5
c678bd4e4f3718179c58b77a724f1235

SHA1
11aac9af28c31dd8b0aa6681d67a540fbbca68bc

SHA256
06febc9ea2e5d2cb3c5f64f4b3c305f07b8092d230ffe48f772d8012d105d860

SHA512
98a1a2e8236ff869e9ffae670c578b8657f8a6052f2fe86d3059e8e2ad551dd4e4415c5383d802b6d6a806e4f7eb61f0c19950e3a696e046be8940c0eba43dc0

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
59KB

MD5
ba4ba3c02d13bfa45ad17e1db49ea383

SHA1
11700fc35ff143d59f3ca99315ed5b63863f2596

SHA256
b42c6c29fdec48d90bb55aeace9c31c2502bf4444dbabfb3bb55fb4a1798ca19

SHA512
809116e469caac19f18bf746904e7fb0880a52566e7a0234fae1ae9212a778083788811626e1cc0000f9554a87b43fc77ac13397ea913a07d2e2f01e9ab50dd1

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
59KB

MD5
7c2443ed9959202a6ab395356e89d3cf

SHA1
77c7b4d2fd6a79f220e35eefe92dbc22c8027b97

SHA256
0269e35bde3c998ccfeb8df954ca15b190a40b1610df5778e0a4a90b24cd7fb8

SHA512
106b8f6abeb5a5698f5585294af40a0ad14e3b897364c9f0b52f0fb8c5e7ea6d766caa052493e9d24a9cf193ca52e1357c4ec77c4f6c7fa0e9c1c41e6c7e73e0

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
59KB

MD5
ca163169521590aa74dadd6c7cd2ff0e

SHA1
bffdc12b169b9233eba41a137c4b784013ac05eb

SHA256
a12aac2896149bc116692dc9b997a1950075b4ece76296db4771a006abd39854

SHA512
37ec0ae65f12bbb355edf8f529bbe8815b7c00230b0d630d99eaec447f0b3a6b13188bcb934f93e9d0bab43d1675dc23cf0d048fa2de15e250b4c52db15399e3

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
59KB

MD5
13b0d3237720d4753e8540026c5a3fff

SHA1
f658f1351953124d8add9c8f95a3b1a4e4686dbe

SHA256
176b38d317ca77243efed04f34f250d27ddaddda1d1b1281aed881b3905adeea

SHA512
0d33d0dcb8a1aadfd507fee0962db73b262b89623a079019c2f946bbba4ad84f338f319d20a1edd8ea861b766ed0ee351bd0e0a1732fc9f34a86c46490c9c10c

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
59KB

MD5
5f7f4b8d817c3e9fe9063bafff9bc819

SHA1
1b72cca5b9c1f205b395a36715f760040e890fbc

SHA256
0345fb8d342ae6342c9114594b2ced010d79de9ee71a3a3a0a99a3c265e048b7

SHA512
4c2b321d8fcf63a617b41d3344eca4b0c534dfd2bbc0c788fe4446a5ef74d39badda30f88da4bf0a85af7526054674630bb71b191202c65feabe2ad88dc5cb6f

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
59KB

MD5
08de39c77a3df29e3c2617ee3d1641de

SHA1
3336684a3cf2ff2f945aef1bd15e466d535cfab1

SHA256
1365123c6a05220dbc7746b29533b3aab72e2018675d6787e2fef1ed7917031f

SHA512
eeb3f1c7bcc3c49d5d2fca72434e89be380e31851178e3d89ff01799ff81838388358265532dbdbdf4bcb3e9a43e68c439335d9554e516063f686420aba6eaa1

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
59KB

MD5
420cb15c39c0fdef1c7d44dbf8adbeab

SHA1
d831c37993dec89eac5a1f568e88d70b7e3820b3

SHA256
eea46ecf2fe670d7278e9215ae8ed83c8f7ea390afebb5e65c1a116c7e853d04

SHA512
f8eabbde0d367810266307cbdc1547eeb5752cf073ebef390c895f1b01ff9ca72d085d97114fa698b508e7239472b625b158ca6ce9aa74bb6653175a331952ae

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
59KB

MD5
4c00e5c54d7d3fa13aa3b7a95feddaf8

SHA1
1986ead4624fca018a5cdb98057776c2274cf542

SHA256
4a73270b79db8101ff0ee6b4ad5fe3f2ba6d68567ee493c034173d12606ee404

SHA512
bef665d70074c49aa64a326a5a93ec677831befeb9756b4ca50733a457b6c83467523dbf30262d5c09ac4eaa9e5db19933d74e558c6eb23aa4b788407a819fd5

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
59KB

MD5
5161682518fd18f02e0eaa544560ba25

SHA1
1918652abf23aad5c28d2346dc5d77f0a17cae48

SHA256
cf31787b5aa7b768c8bcabe99d344bd96a96da7defb1bd724f3122e2a5f564aa

SHA512
f27269844c53913f1db7adc37e166a5042749763933d6ae54af68da75e823c99c58b9ae6605c6304b14c59297a99d4ed6c0d9d7ac84bb612d7cc54ec79cbd254

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
59KB

MD5
e757fe7e3b162b86ff728b25282e2952

SHA1
2a474ea693b944eac893eaa15f6182274f0ab191

SHA256
889a607a27f4fa327c21fc5da25bbd29cbddcef45b4c0552ffe05bd4eef9a475

SHA512
6872d51e38aa228692b4c7748285768702674e43aa037ee5c269550c562871ce53d81ee28ec4f7f4f9d7d40520efb38e5c557d6413e9edcc99aa5d9ee47e53dd

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
59KB

MD5
03308689f6ef7d12da5b125784aeb8a8

SHA1
7b68067a691dd198bf37b56d60f61548b68f3c0f

SHA256
f0377e8a205eb693bbfdceca62f151082407d9fe2e56c1c2ed825680ed285218

SHA512
806c2b317ceb13081693cf8d87109fb889f0936a185936075af7b266551712b2c22641b087acfe52ffc3e63f3493657ffcbfbd3ce558aabbf0dfbdc0ffe65190

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
59KB

MD5
eb3e45b5fbcca60c888fd5c81f8aea38

SHA1
e99be6d08ff91e641d2debea2c856a01d511a3b3

SHA256
6b4af05757685e3016c232c7450f839e0869505b5af8c9326b800102cb146a5a

SHA512
34b44ae38a48d45404fe60d175c43643b25acbb3d23670b308f69e2cac6513e9818a991e3812871d330103a8bd8d4c49a6f730ee2bfece558a41e89f4b40f6c6

Download Submit
memory/348-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/348-168-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/592-390-0x0000000001F60000-0x0000000001F95000-memory.dmp

Filesize
212KB

Download
memory/592-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-233-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/840-209-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/840-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-274-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1276-273-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1556-310-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1556-315-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1556-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-285-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1696-281-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1696-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-35-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1756-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-239-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1832-243-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1892-498-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1892-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-475-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1960-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-160-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2008-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-196-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2008-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2024-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-7-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2056-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-401-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2056-402-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2176-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-264-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2208-260-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2384-295-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2384-291-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2412-48-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2412-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-114-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2424-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-254-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2424-250-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2428-332-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2428-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-336-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2508-425-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2508-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-413-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2536-414-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2536-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-88-0x0000000001F40000-0x0000000001F75000-memory.dmp

Filesize
212KB

Download
memory/2704-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-345-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2720-346-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2732-79-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2732-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-61-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2740-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-146-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2768-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-325-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2804-379-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2804-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-370-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2832-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-367-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2852-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-187-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2852-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-132-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2896-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-516-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2908-221-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3024-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3048-358-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/3048-357-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/3048-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads