berbew | 349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
Size

74KB
MD5

f0cb92b41230abe4ac8139266a5e08a0
SHA1

e3a6d34178a2a8444f6975cae9943fc6a60443c8
SHA256

349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475
SHA512

f6b2b830a0b2958a53e68d75bf1da4a3f8d43425f77168ca1c5d941f46c2a97f2a87e32a130b2ff68ee7e9407e4d0297560cc71630faac9b1f312ce056f0ae54
SSDEEP

1536:BELY4mnpKhVMcGCq7IdrQBeOJA8FGkLwLAM636uMSmjp:FKhyNCq8NQYyMhl63M9p

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odoloalf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjpnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2720	Oegbheiq.exe
3048	Ohendqhd.exe
2700	Oopfakpa.exe
2660	Oancnfoe.exe
592	Ogkkfmml.exe
580	Oappcfmb.exe
2404	Odoloalf.exe
1228	Ogmhkmki.exe
2932	Pjldghjm.exe
468	Pmjqcc32.exe
2908	Pcdipnqn.exe
2768	Pfbelipa.exe
1064	Pmlmic32.exe
2008	Pcfefmnk.exe
2032	Pfdabino.exe
1476	Pjpnbg32.exe
408	Pqjfoa32.exe
1284	Pcibkm32.exe
1724	Pbkbgjcc.exe
1352	Piekcd32.exe
1536	Pkdgpo32.exe
1704	Pfikmh32.exe
996	Pihgic32.exe
1644	Pndpajgd.exe
3068	Qflhbhgg.exe
2712	Qijdocfj.exe
2132	Qgmdjp32.exe
2664	Qngmgjeb.exe
2604	Qqeicede.exe
320	Qjnmlk32.exe
2980	Aniimjbo.exe
2108	Acfaeq32.exe
1860	Aganeoip.exe
2964	Amnfnfgg.exe
2972	Aajbne32.exe
2936	Afgkfl32.exe
2352	Annbhi32.exe
1612	Agfgqo32.exe
1288	Afiglkle.exe
2168	Aaolidlk.exe
2548	Apalea32.exe
2204	Abphal32.exe
704	Aijpnfif.exe
1944	Alhmjbhj.exe
1528	Acpdko32.exe
2196	Afnagk32.exe
852	Bmhideol.exe
892	Bmhideol.exe
1896	Blkioa32.exe
1588	Bbdallnd.exe
3064	Bfpnmj32.exe
3020	Becnhgmg.exe
1244	Bhajdblk.exe
556	Bphbeplm.exe
1048	Bnkbam32.exe
2928	Bbgnak32.exe
2948	Bajomhbl.exe
2872	Bhdgjb32.exe
1156	Bjbcfn32.exe
2104	Bbikgk32.exe
2556	Behgcf32.exe
844	Bdkgocpm.exe
1608	Bhfcpb32.exe
288	Blaopqpo.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
2720	Oegbheiq.exe
2720	Oegbheiq.exe
3048	Ohendqhd.exe
3048	Ohendqhd.exe
2700	Oopfakpa.exe
2700	Oopfakpa.exe
2660	Oancnfoe.exe
2660	Oancnfoe.exe
592	Ogkkfmml.exe
592	Ogkkfmml.exe
580	Oappcfmb.exe
580	Oappcfmb.exe
2404	Odoloalf.exe
2404	Odoloalf.exe
1228	Ogmhkmki.exe
1228	Ogmhkmki.exe
2932	Pjldghjm.exe
2932	Pjldghjm.exe
468	Pmjqcc32.exe
468	Pmjqcc32.exe
2908	Pcdipnqn.exe
2908	Pcdipnqn.exe
2768	Pfbelipa.exe
2768	Pfbelipa.exe
1064	Pmlmic32.exe
1064	Pmlmic32.exe
2008	Pcfefmnk.exe
2008	Pcfefmnk.exe
2032	Pfdabino.exe
2032	Pfdabino.exe
1476	Pjpnbg32.exe
1476	Pjpnbg32.exe
408	Pqjfoa32.exe
408	Pqjfoa32.exe
1284	Pcibkm32.exe
1284	Pcibkm32.exe
1724	Pbkbgjcc.exe
1724	Pbkbgjcc.exe
1352	Piekcd32.exe
1352	Piekcd32.exe
1536	Pkdgpo32.exe
1536	Pkdgpo32.exe
1704	Pfikmh32.exe
1704	Pfikmh32.exe
996	Pihgic32.exe
996	Pihgic32.exe
1644	Pndpajgd.exe
1644	Pndpajgd.exe
3068	Qflhbhgg.exe
3068	Qflhbhgg.exe
2712	Qijdocfj.exe
2712	Qijdocfj.exe
2132	Qgmdjp32.exe
2132	Qgmdjp32.exe
2664	Qngmgjeb.exe
2664	Qngmgjeb.exe
2604	Qqeicede.exe
2604	Qqeicede.exe
320	Qjnmlk32.exe
320	Qjnmlk32.exe
2980	Aniimjbo.exe
2980	Aniimjbo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkkfmml.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	Odoloalf.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Odoloalf.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Kedakjgc.dll	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	Pjldghjm.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Ogkkfmml.exe	Oancnfoe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2496	2792	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odoloalf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpjaq32.dll"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2720	2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe	30
PID 2884 wrote to memory of 2720	2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe	30
PID 2884 wrote to memory of 2720	2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe	30
PID 2884 wrote to memory of 2720	2884	349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe	30
PID 2720 wrote to memory of 3048	2720	Oegbheiq.exe	31
PID 2720 wrote to memory of 3048	2720	Oegbheiq.exe	31
PID 2720 wrote to memory of 3048	2720	Oegbheiq.exe	31
PID 2720 wrote to memory of 3048	2720	Oegbheiq.exe	31
PID 3048 wrote to memory of 2700	3048	Ohendqhd.exe	32
PID 3048 wrote to memory of 2700	3048	Ohendqhd.exe	32
PID 3048 wrote to memory of 2700	3048	Ohendqhd.exe	32
PID 3048 wrote to memory of 2700	3048	Ohendqhd.exe	32
PID 2700 wrote to memory of 2660	2700	Oopfakpa.exe	33
PID 2700 wrote to memory of 2660	2700	Oopfakpa.exe	33
PID 2700 wrote to memory of 2660	2700	Oopfakpa.exe	33
PID 2700 wrote to memory of 2660	2700	Oopfakpa.exe	33
PID 2660 wrote to memory of 592	2660	Oancnfoe.exe	34
PID 2660 wrote to memory of 592	2660	Oancnfoe.exe	34
PID 2660 wrote to memory of 592	2660	Oancnfoe.exe	34
PID 2660 wrote to memory of 592	2660	Oancnfoe.exe	34
PID 592 wrote to memory of 580	592	Ogkkfmml.exe	35
PID 592 wrote to memory of 580	592	Ogkkfmml.exe	35
PID 592 wrote to memory of 580	592	Ogkkfmml.exe	35
PID 592 wrote to memory of 580	592	Ogkkfmml.exe	35
PID 580 wrote to memory of 2404	580	Oappcfmb.exe	36
PID 580 wrote to memory of 2404	580	Oappcfmb.exe	36
PID 580 wrote to memory of 2404	580	Oappcfmb.exe	36
PID 580 wrote to memory of 2404	580	Oappcfmb.exe	36
PID 2404 wrote to memory of 1228	2404	Odoloalf.exe	37
PID 2404 wrote to memory of 1228	2404	Odoloalf.exe	37
PID 2404 wrote to memory of 1228	2404	Odoloalf.exe	37
PID 2404 wrote to memory of 1228	2404	Odoloalf.exe	37
PID 1228 wrote to memory of 2932	1228	Ogmhkmki.exe	38
PID 1228 wrote to memory of 2932	1228	Ogmhkmki.exe	38
PID 1228 wrote to memory of 2932	1228	Ogmhkmki.exe	38
PID 1228 wrote to memory of 2932	1228	Ogmhkmki.exe	38
PID 2932 wrote to memory of 468	2932	Pjldghjm.exe	39
PID 2932 wrote to memory of 468	2932	Pjldghjm.exe	39
PID 2932 wrote to memory of 468	2932	Pjldghjm.exe	39
PID 2932 wrote to memory of 468	2932	Pjldghjm.exe	39
PID 468 wrote to memory of 2908	468	Pmjqcc32.exe	40
PID 468 wrote to memory of 2908	468	Pmjqcc32.exe	40
PID 468 wrote to memory of 2908	468	Pmjqcc32.exe	40
PID 468 wrote to memory of 2908	468	Pmjqcc32.exe	40
PID 2908 wrote to memory of 2768	2908	Pcdipnqn.exe	41
PID 2908 wrote to memory of 2768	2908	Pcdipnqn.exe	41
PID 2908 wrote to memory of 2768	2908	Pcdipnqn.exe	41
PID 2908 wrote to memory of 2768	2908	Pcdipnqn.exe	41
PID 2768 wrote to memory of 1064	2768	Pfbelipa.exe	42
PID 2768 wrote to memory of 1064	2768	Pfbelipa.exe	42
PID 2768 wrote to memory of 1064	2768	Pfbelipa.exe	42
PID 2768 wrote to memory of 1064	2768	Pfbelipa.exe	42
PID 1064 wrote to memory of 2008	1064	Pmlmic32.exe	43
PID 1064 wrote to memory of 2008	1064	Pmlmic32.exe	43
PID 1064 wrote to memory of 2008	1064	Pmlmic32.exe	43
PID 1064 wrote to memory of 2008	1064	Pmlmic32.exe	43
PID 2008 wrote to memory of 2032	2008	Pcfefmnk.exe	44
PID 2008 wrote to memory of 2032	2008	Pcfefmnk.exe	44
PID 2008 wrote to memory of 2032	2008	Pcfefmnk.exe	44
PID 2008 wrote to memory of 2032	2008	Pcfefmnk.exe	44
PID 2032 wrote to memory of 1476	2032	Pfdabino.exe	45
PID 2032 wrote to memory of 1476	2032	Pfdabino.exe	45
PID 2032 wrote to memory of 1476	2032	Pfdabino.exe	45
PID 2032 wrote to memory of 1476	2032	Pfdabino.exe	45

C:\Users\Admin\AppData\Local\Temp\349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe
"C:\Users\Admin\AppData\Local\Temp\349ccb01a1e17e25c77fc7fc36d77ed8fb5ca8346e2bfc87924ce0e63e065475N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Oegbheiq.exe
  C:\Windows\system32\Oegbheiq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Ohendqhd.exe
    C:\Windows\system32\Ohendqhd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Oopfakpa.exe
      C:\Windows\system32\Oopfakpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        50⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 140
        80⤵
        Program crash
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
74KB

MD5
1077619533750589783889a6e4034bdb

SHA1
b6a819d25631822b21077ee6129ff11f4e477440

SHA256
81e0b9b924be2a472037608542555e84d23b6625aaaf378144cb334fee6b0ad5

SHA512
5238c86bf9f2755b67c2c40ced75d7bb5b1e1a6cc1f4a051ecfe82820ec4c3e606768ab427e35feefe1daa8bba7ada32f4a9a292d12a5e8c508724a06b1f2024

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
74KB

MD5
e37c03082484ca0a89f271171d745349

SHA1
d664d60e0edf04fd8bca8770a37ed5130ed075b2

SHA256
1fdbed2d2ed2d17f372eeff9c6dcc17dec5c83c7de2683d66db0db954bb82b7b

SHA512
646dcd23021eee3346a70c75be611f98b0e47aeede6eb33029a1f081fe8b3f4b763924ef08782e4306c8ddeb502dd98020bee76fffe0bec0ee58eec20bde00ea

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
74KB

MD5
b35a77f54f59b7f7ecbb55cdd7a4af76

SHA1
a735139c38129b8251f21475d70888acf8a78445

SHA256
84b79c0117b43b9df210039bea799bfb8f9a4606b1ccbe69af9953ea97730347

SHA512
f2ead6ca70c50581ac92fd4a12aadc390d8c66b433a9d521c07798e8b2cc91047b2aeefa7c00a36bede62cb1418dbe477d4fbb09353b3152f15968cdcafe579b

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
74KB

MD5
0598e66db79cc2e25e7dbab5446f7fdb

SHA1
4fe444cad3b50960872667739720671ef64f3444

SHA256
64bc51676b4a1f9e8091804ce32f6751c01846d45797ac58a85025935ceb5360

SHA512
89cd8af98b328e37bed80216b50bee50fd831a85d9c9ad939a5e481e649169d46baf88e479094b440c110ef25a4f945fd8c38cb6344566e836e3c4b22233c4d4

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
74KB

MD5
b27b438539233f18f51a114c67fe9c49

SHA1
4dedf689086c38ade6f72364e9911d093d6f6810

SHA256
e79621fea1ffae203d47e3bf09e42a5d16c8b9e4f8035f3521cfac8f4dff9807

SHA512
62e9dbdaecbcec214ea650c3fbc0537d8f26d7b7f3f4bcc4998267ba80e03bfa202ffd6bb955752af62d4e2644061a55e11768ae0d5999ab0b2c20f1bfb2e369

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
74KB

MD5
50a7ad3bc9cb6490011deb5ecf782dc1

SHA1
628e834928a166df2a085c0c2d9f71e357f22e71

SHA256
5cd8af6a69c97663f92e7c053ee902d46403247d9481a1c5a76a87a024945cb4

SHA512
859123ee2bb099fe4fd9c66db0ac07e720f80631ff4e89449735214006e71fae767f709d9c1faa4ed16d2cfaef7dab243f4dbbd23af05176e5eef4553de3b90d

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
74KB

MD5
0d528e909536db61f334cbbef20a7127

SHA1
126457abd23d9c33e86712ee0028c719fb49d61a

SHA256
5f4d8b0090d46383c9353fe95f838439a773fe61e9b17ea3814fb117117d0831

SHA512
8b97446f82183f856288d40754c8eb380fcefe62a425808a72c02e14aa1600959b1f8bd399173cbfd81ca22b7b59fbc72322a59e9359f7d92d49df3ba00cb928

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
74KB

MD5
3f2e53a45970daab174e12727cc11a95

SHA1
27f2c78b7ced10c33d4afc0b9361baf2c1cfdb72

SHA256
9055621898aa0bf8e69cf8e032f74d29b6d12e488c4d0f47aad631b042b39f94

SHA512
5f6a17139ad09063cce5d0aa9cc4c54b2a09990c0d62652c524d933cf9ac103e864dbbce29daad7687c8052cbdb6958b7186f871dbed31861c39767f18333107

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
74KB

MD5
e7943fff732954247924594641cb3420

SHA1
e7e17c2139cc58f75ed0faeb44d6fe9f038cdf33

SHA256
25abc9e8c4b11e7926fba967f83c77d904501e800c549891fb4d63ae76791b61

SHA512
03b7a79a48f8055b93f074bedd36afce32d212a571fe295eb892c2a57e6a3c022b1b72e1a19610688b76a0086a10dec4a9e216ce8b35f6e1153bcdda40ed5865

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
74KB

MD5
f7d48a6b6fe017e01bc9ff86177af9d5

SHA1
ac3b03609536bf1f31fdb996d623873c3a7b6c5c

SHA256
adebd0c12b3dfbecead8ae0bf9c99b413c2fb416f4dc12463c9889056fbba45b

SHA512
f709fd2eb962d44b0f40db51e786b8f53edbb51dada5d531e0b94410517fd02cac2c916672a4de5c4f71d33df4c006d8ba2a3dda105a1a79bc91e687c6f8f457

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
74KB

MD5
8721c993c50410741dd9faf37a2ef39b

SHA1
bfd60e1540af46cf087df36255fa5edd1903957a

SHA256
5e6678e85f89b68e5108aabe5ddf8047b022fdb12a09059eeec8442fdd37d055

SHA512
c33af6a8c424050b081db864273a805b0977c5215d25eee1a029a3a8fd09daba57e2c4034ce6e0ec2e6a5d0aab43c263dd835f81dde97540cd06e75efa18cbcd

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
74KB

MD5
76931d6fad365d0ec6e160ad38407f6d

SHA1
e3dd74e8267a0aa32416e1695d7f56576638965e

SHA256
67f9b910b9aa1f665164df9381e857e1b439c5016453976081c7e1b9633f3c15

SHA512
dc7ea18c78c6337697e310ed3d3d26e70c96fbbf2fc4c631fabbf955128d5f1a5f984535ee27b4a1d11e5a3e2fdfab76037ce36e76748d92c2423b15cf5f6865

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
74KB

MD5
33394103cf950dc5fa5ad46dbeecca72

SHA1
9e3f4a1439e905b453c71ffdc6fb5cd55b893cca

SHA256
3a9e7ccf77cb35d120b8378f5f54a479fba121c3e207807be4c000820691b8e8

SHA512
81beffee492bc6c6ec8a83fe138b42c1ab55241f36bd280403529ed7fd6b02e396d206eb520b727a4668ec51d0fef8a933ff725e98cdb3f9d608805dc821ffde

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
74KB

MD5
f98334273d8133524de410ca9046a39c

SHA1
a369628d80533a0248d3127dd43b2748a7b2844f

SHA256
e16841f9de6beb46f3ee8616b838a1d22c7acff848ba45176e3c8f404dcf18c3

SHA512
478d4ff63b03b979cff0037d88837b9b1a2e1f69c23f49de6d42132e989c526d18f577f9dc40dff1593fc1585aae1b34fdb8a962c268cc31e0a445af42b445a4

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
74KB

MD5
9fb42fa25fe0c5389d183074d07f288c

SHA1
182ed0b1844d406dbaf28941f7075d1bf2284208

SHA256
84e23655847748bbcde56beaa8a8179224325b44aab9d3cadb82d147cafdf766

SHA512
377ca4b87348189480bdb30d5206e48e55e99797eaf5ee90b5ea0976d3ffe375a4adc11b2057d9f54821283772e5c985e51be6fdd6556e9844bac7ad02ee4a60

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
74KB

MD5
255a9cb2b6f145c46fc788903249d708

SHA1
22586610558e458802c965812dc01cde53d06966

SHA256
ba02849c9cf66f65702ec524be267a32e177bf69df25c86645b44ffa0682973a

SHA512
decdce1add6a21f5b5de6b141db30cfb59443f41e974f0ecbe75f4c92a176cc958136d46cdc74ebed23b7ee14d50c05890f6b4d5b32f51d31718e7495f372e18

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
74KB

MD5
a1a417ed7d51d49b11963a576c97d5f1

SHA1
127f4e58af14a3739bc5dc4ea41e0e2c85d39162

SHA256
4e4694eba2401ae3ef07c7d70bb7bdd24b6bbfb8a9cc7462ab1e91998eb7b878

SHA512
109bb3018fa0e3e54652a63a86ee88ecc370c3dd274eb90fa9a4d18816cac2edc461c9e8d12b92b9f16fb4db132103ec81d9a6818b6f421e35ee1f46fc9bdd81

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
74KB

MD5
31eabff2bf3bb3b84a257c6225ef74d4

SHA1
7ff0043c52ca25a8ffde3d33dae928611272caba

SHA256
512811f3c132213ff05cd3fdcf07368118f05ca1f99e93af1aecb7eec198c97f

SHA512
5517a751723b5cfa112604ba9ee2161f3a993c147081f5bdc34d48514f480b3c403bcda85c14eb5c301ef61b93ba613d5e643e9cf9c0a29b2000533b97f586f7

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
74KB

MD5
a20e844ef927457b51e2f0c0e12b0041

SHA1
e8bd68e8a7f5eec02d3d4f5cbad979fcd9092017

SHA256
feb31c262cd03078b13a8f6d7019d19bdf408379704f9507999a92b17985403d

SHA512
145c9af7a5daca0aa3ecedf3b83e4cfb7ae8878cff9ec12f790eb42a80957419dd58731d687a3b74e1118454b71a55f15358d9ad67fda3409d2b5d225dfdb5ec

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
74KB

MD5
0d37f4d4d86676c747723a79a8d9bf6c

SHA1
3c7fad3e25b7a93bd77884cd5534ca4d2c852887

SHA256
90defeaad1486f8dc44f506f70aeebc00f4dea0f4ea14dd046dffcbab40592b6

SHA512
0b1000b6ddb9c19b1e02b966bea59c7138db9f33cb0c691671d1900a1c40d7c453f6f76ac3bcbc734c037c2ec798109eb84cd558ec4fc25669a8a734bd405dbf

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
74KB

MD5
71244665cba511670e871162558de18f

SHA1
c7ed10d925357fb1511328d43bcb91a8e7a5a04a

SHA256
6a6b792c2605e57cd561207d1afe07996978ea89f60a378cd2604f0e8496c6e8

SHA512
d93ff88c3df56596bbabfb4b1fcac8a22d325a4784c20774bc74e396b9d83a6a075db86b842af936b1583aa3de3043ed3c8301ad5d57f08a22e4027b4555201d

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
74KB

MD5
8691a45832a93ae7326e65ff629b9def

SHA1
40d08b9603c43808228d9d45e51c59ab6b26f254

SHA256
c34946eb062972905d3fcf741ad5e12f3c07e167edf074b7d675d13a50061943

SHA512
6cba97442c5949ced58ae3e16411f8bdda9b05723eb72c24fa951b3fd2eea5eeb93fb379f3b39204d213580e1f14c58f86a1ab5b1686422ae07096c5b5ad4360

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
74KB

MD5
f619d891ed3912ce73b0ad95e9e321b0

SHA1
096f60f7d9e80a5a73b7f702599c432b1f2c65c0

SHA256
9eb2905d46efa27d0d578e9f09ebbac03d403a74b6d9dd802bec1914c8c2c1f6

SHA512
57414f18477260665667db300ff31c95ab1267592296be2d9025d69e0a49b1cb47c37561f289df94534c21af83f94433004174b8375fd21dc0755dba99c5e15f

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
74KB

MD5
cdbaebd3aff5bcd21660923bdbb6e92a

SHA1
c2920b1e5ed05e46e99c4a1c2fa73e65b4de2152

SHA256
48f8029171530b95c1c323a7514de158f1671c0fb5daed1a57e9a8acc9c78998

SHA512
f1e7ce3ebd47d1eea4b839bcc067080ac70e63f301d405b17f98ab9c48a8fb8d701dfa6ade051e6265628dcb1e05f9e22d0e02991ee84f61c01c92b38f004837

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
74KB

MD5
4dc0056bedcdb129e6e6594935cd26f1

SHA1
c6f89928a51fcc5c542995b60b265287e85d9bf9

SHA256
ffa4d4da769ffba78d676d6d22214889e3d9db537a630b0b3d76ec24090b9c7e

SHA512
3b44a85453b00f7628b92d4bd7640bd01c661a97a8a9d3d92a6dd3d2942dbf7cd7e5fc72b200ffea8975326c32a83ad22de9b03e539efa459b8701f78badf0da

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
74KB

MD5
62b09db8f47c47e0ec9dc5dd7c198beb

SHA1
2fa93af43d8d4805cf97ebc5ac785840ced95429

SHA256
d9c4c9bf85214e4a858240fb6be5629827043fe46d4d6367dc9b42ea946a65cd

SHA512
dd8330056bfa25775e48caf4b1ac36b38bbb1b519ecdeee0fc2679e72d6b3c5dba96499207148ed1a33d35c078a5355a9654a90251c33f2d7146387f143cc85b

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
74KB

MD5
3f8913f5165df3c4f798c748958c0763

SHA1
8aa244ab06c8c88e0c954be4b9e2594f4861325b

SHA256
8c28577e79d0973c93ac59eaa8451c77c1a4a265bab344bc0709bd7be180e1c6

SHA512
8ca7bd33d55f48468d52e8131b5f5673661f3294f53be01a754ef0590b368c42771d6269a24e9589c7050c8aa08e6bbfd946bc756da1aed3994976b081fe9704

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
74KB

MD5
0e5ff0a01939fef38541eec633ca17cd

SHA1
8a5d52ba973421252d5282a4f9c6298d473fd046

SHA256
f9f94cbb1c6209019b0b661a76e2dc981e02d061507104c053abcd0e5ca987ef

SHA512
e13ff0af3be968e575a32ce986a03d75cd8e1d38a240d06d837452f5569aff9cee059cb5c49a074123603a65ce7105ae84922d4a503c9013a758a54399614fca

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
74KB

MD5
1f66e4b2c6506efe37588ba2bff44752

SHA1
a1c16563982f5953b336581db3544ca3c69337f8

SHA256
0e7b4126b2939eb98b8111658eb7216de0d7e90caa1e08cfbbb1feaf0ce9954f

SHA512
b03ebf7e5d78750c176a7d59e762d23da640881eafb17e3300eed715b1985c2f1635fa719726fcd5169fd609fb9a0f1211f2922cbf37dc601a91210fc85d414c

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
74KB

MD5
a41923793e7b8be2c204ce076b57627d

SHA1
5fb84e29f8449b731154d17e2c8f5ee3675f0b55

SHA256
ff8d371b94b1f74e0b83555a7c9e73ac850e0070396b2b11457b56bc6a3a0d11

SHA512
2842f394be1cb69fc8abf756132ed4405e8f337ac3b12fef2d3e4fd300e1dfa678758f23edd4143d3f520ccedada979d8c7987770f607a2f32d6e7834570504a

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
74KB

MD5
bbf24621c6d04d2627f6d234448a5a51

SHA1
8ea86956eba7178bbbee282d6648f5234764264c

SHA256
ca8108bc931f405810abfc38b43ad0ebd206c74cdfc04c9eb509ad3f6acbe1b9

SHA512
34b26a05646dc07af160f6560ffb7c8bb88a50617b7d6dafc8618705fecd89b8a806ccce8b52131965c1726d32081c1263746fc23634f68ebb4be96cff5d0fb9

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
74KB

MD5
2363aa9ff38f7804208088832ba9bb76

SHA1
8236751f9ac9b580acb47520e481e7eb617d8e98

SHA256
aef345e515269ac5c84039474db4728c9f1810bd0daa8a0d4bc48abf76d1fcd9

SHA512
f4a56d274a48e99e460aadc89ca97bafa3d5cb9b4ded8ae86ad58db68bf1faeada7078610c5dfce126026300964426c9eeef1c591fbf2c44b6814e7acf7956ef

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
74KB

MD5
4faccfa37554a2b3f8b55b092da90407

SHA1
1b15ededd384c6a4f6af2de2654f23eb520b9c6c

SHA256
ed4199795a41345142b3c73eabdf06222437caf3a19efbdd062a14cfb71422a7

SHA512
e6e9a01aa75bd1dcc40453f898c900a39fe2c5a790a4f4e9559a3feb81a1c2867ce61522696fe5d911a1b14cf183ac72c6688a10615b59d2be412b5b756aa9ba

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
74KB

MD5
0925d581cc2f6d7c12fd45c93d2ce6db

SHA1
1f1111e896577873f151fa47416108ba67ed804a

SHA256
6ab616c1d9cdf479f8d0e4ed14625bd53c0aabca7dbf815bbdaf09fa87046f98

SHA512
fd70f4f8613d8c4d35817cb4208a1b587471f22478029cacd1d29c17621254033293e04f7d2ca4fd876032e1e7099bc9471a7c95b246aeb080201de4a8d02e03

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
74KB

MD5
1bc1247b1834056007b415a783e35d55

SHA1
02539403a7583a8fbe87edcfdf553c569d827e3d

SHA256
a33dc0dca51b811e86578f32cf6d3069d33fbce40623be93e01a98edcb07196f

SHA512
7d5f26a7862ca3f55ca7ed0a762bdc0fc6551731e9524767caaea15afa52aa2faa0bab882a65a2013cce8cbeafa19a895dd0b999b57da9e64f6f401171603b68

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
74KB

MD5
818c436947e7b037ae770ca42c97d5de

SHA1
f49a7d356517cfff95cc77adf37bf9ca3ebd5a6d

SHA256
6ee91d2034a0c6f6e6ed1b29459cd64b84961f5881c4dc06f3a5b23ec3add081

SHA512
ab762189e2011ceb30899f3883bf5f18adbdc90ba0880cabdf4834544586c0767f4b9147849878e92ac28b12115787b846be6e7c0e859628dce9d93bb0ca6b0c

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
74KB

MD5
780d747f24b98d5ff9c97b2eaabfe38b

SHA1
176a2dd7b045c8bf84ea9cbc7a3f72d1335b374e

SHA256
6681c5299b60fb4ff1cea816b4dc95cc265d749215f0f0442bc890134e303e6a

SHA512
de89f4615673fcf3920ec66d2b405c621a838652c66046ecbf5866cef16c2b97e71a0cb0edc7f67ac7a83394469a57c5fa62f99f5e1009285d03486d33a4db66

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
74KB

MD5
239495f4d1c55907fd6d97556d7a37b6

SHA1
a35db816cd7ca703d6676ae92343ff1a816f96a5

SHA256
0dc0eb0a8b31a24fac6301e5e0600d02d5f4f6673de9d50b71b321451ffef83b

SHA512
fcaf74dd0ad14d0bc31ae285c533f35430e06d81aee768d64d2e7d098ff9af73feccb8a8b341f410e8d48c0ed3aac2c370b1c6a7cc111b8979b988d4e1472ba9

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
74KB

MD5
66c91767ff8ce43e3797a96d6a6db579

SHA1
0fd149daebf99d0c3a8ca63c9bbaa41e98587a6c

SHA256
e5c283aa460763c4694ea8ee9295907f20f6784b5a9ee78ac5487acd6ba600eb

SHA512
569b162e546dca3cc1f74027f923cdf3df694098adc576904d2d5906eddb0dae16b7727f96fb05815f5246687f3f96aaf3649761b5b83520d55c4274e384f55d

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
74KB

MD5
a95a6245318ee30051f0795ff984a6d8

SHA1
1bc27e0caff279eb2260a07dea078d7bba712f93

SHA256
b1eeaa9695b9a1d7a5f383588dfdbbf862b4ddd21c5a348a674093b086e6a300

SHA512
833730aeb023bc8f2f4c055eefc25530f87150a1a01cdfa78f0f721049f70485c05c2ce8fd5fd15a1a5e8eb76e7ffd995e29e4e413407dca4816b14f622136db

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
74KB

MD5
8f6d978f9c1888209718b93e4614dfed

SHA1
5c9aff238b776a659bdd33c9ede528431ad41136

SHA256
d5ef306ea59c0dd0c2925794b7905bd8921f9d6dd563dd4b76a78fa3966bf850

SHA512
ccc1e866f54c15c2e2e1dbf1e5ef7ff53257e7c9024f134fbe67d03879703efd2a5266d0f40b5df3143ece495eff9ea16e6b3880a41be56a28d31cd7d71835df

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
74KB

MD5
d559722f3f630d34c1043a48305a7de1

SHA1
b4cbd6977108f2b66dbaf12ffc47feeb3cb03744

SHA256
22902cc96f1635be2dc5b68fbb68aabb16e025dd794a024066025f313eca9f20

SHA512
f4d0371138944880cb9d674f3943f6817cdbef7bdf4846a8a041b22c85192e91fc4744930177856d43051f3fbcec1d5953f25a26058860d3cada35cc788726e3

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
74KB

MD5
7c21b6531c097bb5c188836b99b05173

SHA1
bc7718f22e5a3a313b6e2f1d71a45fcf6376a78d

SHA256
233f6a1424c4b6e895c2c79fed7457fd3e6b868d89c45f450317eb9fb0ffeb03

SHA512
9fd048ceb576d68d1398b9fde28f36499d0a284d861f4fd7335e5176f3b250078d06fa420216f91a05ff4b2634f85aad75ae538f123b3b22e96af6230fabf94d

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
74KB

MD5
fb1d0de6fa56f77c09caf9ffc6c5b7d4

SHA1
bdb2a45cc0900a02dede64a2edb35ad5fdee37f3

SHA256
b0d40b690cb2b2bb786d7546a9f903acb5170af751f507829f58d7fd84e8044d

SHA512
a2cd934bf8a6092266b6d92ef3969f3206d633a5994904b06d76ba932bc3a8f8ad4d03ac2e542312b8bb594968f39b09b10ba33df11635c0490c3f292a07d70c

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
74KB

MD5
e532edfaf72c7b7df89b317dcf60de54

SHA1
249e4dfd41b044861d9339b05a07007c9ce20ed5

SHA256
444bc240e0bce61c5e839d005a9fd2207d35e14d316f871717deaad603562916

SHA512
f124d2dca832a83d1b8b1c9bedd2ffd5148795c1bf520f0de9e106f303e5e6389ca0e159e128e3ba1ee005e7eb678eab9e02776a098833b4878cb7bab5571fd2

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
74KB

MD5
edee9f3bb038d4c3b8df5485fdaa0ca6

SHA1
8d03b538fc4feac22fdd0cc7046b79fd94bd738b

SHA256
515d6d80d8d5df0ce48b7c8137b7f1dd68c049fc91d5af417fcf7f706f6473b6

SHA512
e02bbd2f57d8f3e7dbb114c20764950f5c131ff1cfbd0c3c0df5fd2cc9896284cf427dfb67002c8e5445732a40d3dc297dda027ce91fce029a7f703c0bfd03a2

Download Submit
C:\Windows\SysWOW64\Kedakjgc.dll

Filesize
7KB

MD5
c65a67f6c43b2041c4f9b7a002fbca6b

SHA1
5772a6f385ee1ae9f53ed8f39431f4197c782405

SHA256
b78cd63be6ad617c392bb59ea0a13d88c4c0461b6f1aabacdf6d2ae7836e9b71

SHA512
6118ea980399520dda1678886174a802ff51ec0214d86b0faf583563fa2c12686b587090b972ed316311041997fce6aa948eb33efc8b16939feedf6c8882b4c5

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
74KB

MD5
08296917c7f00fc4d76bd2ed7573d059

SHA1
f453b89557131162fdeeb1920bd3c939b8411537

SHA256
55fdce077c8995b1b49ca9443b50fe0f1e143fc4137ea76d4241fe948c39e950

SHA512
62e0d2869cc7ecd3cd4d573678e0cda825d89ba1e25f4485fe8bb991f9871fee53899bccc28936c017a95b8f45871369d5e0e70cfc745033f80d43a2f55fdcf5

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
74KB

MD5
54a5bd74d2180aa88484792b4ca914ad

SHA1
9169108d7d3e315d008305be2eed33c96e19ffbd

SHA256
dc65de708da1b365eb1b9120d3a4fd81a3f4b92159580d635bfedda5f21efd9a

SHA512
c1ac1732373ab35b62ac0052bc2c9a7d69e03084b4e4926d3ab67e3f47f82d61a4a85076f5a94a4d8b4cf342fccf2ee79a3354946443ec712d4cc019f0143153

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
74KB

MD5
28c295e2ca12d2101e2066c42350350f

SHA1
126a24f9505942de1d2d1cd514d6155ddbe3d063

SHA256
ceb19bd5f452d0efc2918064a4b1a371f5dd4b476814ec612b6d36719b1294e8

SHA512
893a1da19a116f6044b69c140807868b7cfdb333d36ae73822cb4c827bd4e3e6e06870b6e7ca4b2c171331bc13dad91d81d12a40acc9b2d571ba59c73174cae3

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
74KB

MD5
20346d6ccfa21c703c6925c51d4c8482

SHA1
d9b5a01cb1e16e68c67292260250b20d1c934a34

SHA256
237a09e617dbfc16c83665cf4e0c52b9710b49a44838f244925dda2e29b5a437

SHA512
f74d98c148424e9e28f04a2af2caeb379402e7efedbb09962bc0a862e1b5f024603c5e8c586d29d4be5b5f86682a044d6106dbb3ddb4c456e84f0267c277ceca

Download Submit
C:\Windows\SysWOW64\Pfbelipa.exe

Filesize
74KB

MD5
58b940aa1ade06018cc9f50f93f9c546

SHA1
b82791c75e9f708ae7fb3ea8e1c39e34843c74db

SHA256
ac7b023a3bb152c2bc39553f8a567e229c5116ae2fbf8eda5e22264364e591f2

SHA512
dcc55d1550ea98e8c53de154f1c5d50c711d2b140ac37b7018e6b20cea590188a6473deab295cc4d492bf7219b6684c0ce99258ebbb3188262f25d095d0d9300

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
74KB

MD5
9f59cdfc9365e4aef1e6515837f99510

SHA1
b45bc529c4d5925c565468798c5d03be58f3db07

SHA256
f1b08115c4232ddb3fc106c5a59bbf955f318d2affa658a60ebaffdbb22e2979

SHA512
6b623db0a045afeb28b23279338114b4c8d06ba12e2258cf72f15eefa44d12262833f77aeb498221d3ca2232b8481b7e0e5c40a8b3d3563b30181158ed10238b

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
74KB

MD5
67aa31ca37e29e018151f4daab065805

SHA1
18fabb55feb666a94109fd37e9e4693f5f85b87e

SHA256
a8f54fd46d2c09d1372ab751c7a78d0a9c2b9570cfd0ff965289e1ff42cbe52a

SHA512
3277c8522af774a5548ffa750b06aeafa0e360ccbfaf5fd62abdd3da105b42895793154d0ff6e445677c769ad56dbe41d3f052b5f72a4393d29d27c4bbf4f34c

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
74KB

MD5
0b158132449eb86fe1f540766fe59ccd

SHA1
e7f7c2ed8cb36817b45176e42e32679ddd07f393

SHA256
3f9d9d46e0ced12810dcfc6c63623ce18573e55c05bad9130e0bb50758653fd1

SHA512
952163e7118bbf4befd1a204881bfcfb484095d41bd5adc1a08b4f71dbfdb3e118a9818afd6eb27240ac6bf4a376389f3de0f8d0f7772dea3812230bf8db430f

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
74KB

MD5
97fae391d70fdddcf68d350194da483f

SHA1
6c551056ab43f5f2cb38f9ff63e31df9ab4db991

SHA256
8c8b0474ce5cc4bfd84cbd772682b1b51994b6bce1b2b969e6fdf4d29359b7ef

SHA512
f6753f1031678f7cd61425e877c761dcc84992b2b00bcfffe457757e1622f8c9e46507eeddd6afdee421fad17cce58efa231cd49a6a1cc8cf99300645c6f91fd

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
74KB

MD5
c3e6cb1771366f761a32ea604dda4690

SHA1
f2f837e6bc4275204d98e254d5ddd50a3cd49e21

SHA256
662969a57380a9b86327e7c6b6f5be8c4335476046f9cce2187f36b4e2ce94c0

SHA512
528151ad0af4e58a580aadb4e70d0c69d69a7ea7cbc1588c06c58298f985cbd027bffbd1d9da9b379d77ad451813ecb25b173a13e01ed227c9e38ffbe4075137

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
74KB

MD5
20afa59cdc9f091b79919b68140eab78

SHA1
c867def0b2a6b88910bf60e972b3ec04816591ff

SHA256
8eeb0a83a538071aa2d5679cc603844f730607b4f64a53ddd59f5b66c38bde03

SHA512
817de40ab23a9d7d9d7a953898732f9722c08177eb4f7a64308512da873674f880b4832f336392af8297cc51014b22eb7c176b6915bc76856d6109d6c7ec2f11

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
74KB

MD5
efa112d76f6154b5c8e896680534f51c

SHA1
d5728648ebabf933c62d84aa3e453787e70544a0

SHA256
477375a9419b026e1e8ff7bbec95cb9420993290ef40ad806c05a3c40ba501a4

SHA512
dbdb28c4db2faa0fc2e94c3795d072104da482e7704f7b5e4ed51fddc0ad241b65ddcdb42e722a29e29f8fcb8d4c3a02d88d263236c1f62ca2666183f3d0f277

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
74KB

MD5
b583991eb7043faf864fcbf06b871936

SHA1
0fe5caf2bab9b05482bff8693cc6d4876a3a6a5b

SHA256
afc5d1abdc2074a095d5124f8a7d8d802525fe6fba13f9a6dede613a4fe17382

SHA512
fa40e89eca8389a3989cc4b08b914d09b69b43fc224c52a00647d356d8f9f6de7661147336b24ee8cb189e507642584d379f38e105e67741528dc7d69342467d

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
74KB

MD5
2955d6f72bfd3b64d23657ca31b68c26

SHA1
8148a21a1aef5aa7e76c3a0045e1e54042696c7e

SHA256
e6121dec0401e6c50d46d34c964fd3d164159878cd27ec60efe65356d2b68c73

SHA512
a7178baf0396d8147bcc56723011d5f284c7ccfd19dcb52ff7ca19ce214c48c7dc05eaf2e4ba14d2a36ddf8e4cd8d28c5487162f7ad51563f875cd4223af28d0

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
74KB

MD5
b7ae84e6c45f2a05c78d5d0381e85d3f

SHA1
c950e6d4cf3bb876e64e76f0c8f96e325f8e5de2

SHA256
dabc79e3ba9204c97164330b6ab41893e4d0fb851970b3df6f99abceb2785987

SHA512
652edf8b7722cac3aa036ce230b4c284b9e5eea85869aaab601f717022366969989ce1ab244ea653c03d00e9de17c52ecb649807e56a76b9c1013d5ccfa009b5

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
74KB

MD5
ac202daf285e74c98fb28713aa68443b

SHA1
d1c41c25ed20d124925c8d0d334ccb6838afd644

SHA256
4fe9d5744c5b8add0ad35916d6a70d65239c6c43969e1876979a9c50e8b5bb58

SHA512
70cc0948c258c6a551666d1b5ad6b55ea39093f53ba12d5098316db6654bb6afc413a492547dbdc87a26589fbfaaa8b136f0257724f1a04907eebfd7a9e32e28

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
74KB

MD5
ce5714bc038d4991520d79c05752ebb1

SHA1
94ddda0af2c105d913b832a9dda085bcf0671f64

SHA256
58062d98cb2a50c589c2948bec1945dd446a7f97ee60707c15d5d0a3c5c8d28b

SHA512
4ec16755ca55c391e1f0dfda844b8bfb5cdc7adb1124e6f08f90b14f9737aad6963e53db24ebe472f536951530aab8621b65e40944aed9f8aa4aa76683c67342

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
74KB

MD5
260a604f5a907aee3d40b7bac6888af8

SHA1
579674c83c2870976fe0623c65863649e5799864

SHA256
90b5afa761a707c3b41dfba8f8183907414a8ca879fd7af4a0c993978240e7db

SHA512
75a1a2b3448178142c8ac80cf655daaf6a45cf2fddc6b66ef1e411cf6740e2504f0d7995e60ede437f3f082c2e8eb0a247012bd1928adaadfe2409da8dae3b19

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
74KB

MD5
ca68923337c2c4d141bbd3aef6f894f7

SHA1
3c74db1927a12296fa51aea1415f8b015a5420c7

SHA256
8d114dbbef17018380d59ed5f754cafc70e7d4e575565bbab64fec0d79f7e9bb

SHA512
6f4d83b274caaa2762eb45ad4fea317214c8537a9b35da2960eaf2e8137299672c2e864f0018ecdd9f5ab5b974adff9589e9a0158d61f6e6cea1b741d696b1a8

Download Submit
\Windows\SysWOW64\Odoloalf.exe

Filesize
74KB

MD5
630b50d37ab7b683a76c9efea5a32650

SHA1
8e68ca891f1c5e36778fa3aed8aa10a1c397291c

SHA256
2587bfc4254b93f35b8a0b80432093e80ed525a057a0619209a59574f796821d

SHA512
1be2a30f9efb13e543415abcae386a866ee40056190b095bbc2a129fd36867fcb6380c4e005b87f7ef5be840a8f725cf649a464d9a2161ac4b863b4d75df91a8

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
74KB

MD5
91294ef4c92d768980a6e6c3bb8e7887

SHA1
f7eef3a554c93eb5501c2394463fce5ac92b2455

SHA256
670a4a79f1e5a26998a44c9ee8620edbd5ec6620b5c1a6c5487bfaa5b521e9cd

SHA512
b6e5d110cec3820e98c383cb5ec5f50e53d6f44fbee97990e37b680d0a2d9d1e2bbab7b683feca2ff74369637f7d5acfce9bc3e1a37a2413efef9bd2aa40ae8e

Download Submit
\Windows\SysWOW64\Ohendqhd.exe

Filesize
74KB

MD5
19f8c751612135861201aec3af908bf9

SHA1
80e205595c208e1874334f30bc2130f30873ca1f

SHA256
99835d4e6a9ba848cbffbe8aedf6b0c16d8fd82eadc1b13e42df6d78e77f5e2f

SHA512
97c2f747c4e276f94a2f7f7781600a97c0afa1a957d862f77639aad071091a2847148f88427f0046f41ad12cb0b14e7dc451a93feea82b46ebc6c954b0b1276f

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
74KB

MD5
183d5dc5240a6f68e185ec0437f608e0

SHA1
4b6b99c41389aaba0f57d9d5d9e0b1ba81c416de

SHA256
fc262d201f478e3e5a3fd9f1faed01dcca3bcbd55c49a528dc6c743dad4cc322

SHA512
1ebfc92c7ef1da7788a49e3acf8f287973bf6e3de5aefa7ef4ad51a4dbfdf6c33c7e6a34a7c733dc447abaf2ff9f0369f69f2e5ed8c695e30637628e17f23395

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
74KB

MD5
90ee7e8cbc93c47800adb618e46b48eb

SHA1
974c4971f4ed9a73f775260ff9ca88e43137207a

SHA256
e26ff70b221205f076a69dfa0aa7ccd05f4d80a2e4bf7d3d0fe53dfc3a4c1705

SHA512
872fc21f7a93e1b93f14c673f37c3700af1669881e23bc76ce707c5c34ab10c5847a9d14b733313c2b91270130cbcba70825f1455d82c8c7dbc08acf28ebaeed

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
74KB

MD5
4b835ae6e64b06799edacd2dac62f571

SHA1
60aa796d406843030972b2a78a363f17463e83a6

SHA256
f82000c5e27d5b686d64ddc8b5435b9b464549e8b8de0f6dde88c4bffb8e377d

SHA512
f34b9c36495e84e8857961d904c6e65daa66e8bd68ae20a70bec26343e1aa97a445db57ecc45f7fa7cf7488f90b0a26ade11a909e45a77b1acfe7b9a26c74cbf

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
74KB

MD5
cf29ab5870b68a14925e7261a837c9db

SHA1
82713bccddb30d761700b6bbeee8995ecd41b6da

SHA256
04ce03747e170dc09353a7c2fa07fe3f2bd2f36bc5df9e6e48a9884888cd845a

SHA512
a5cb38a2cbcf4095e425ed0328dd96e87288032a91663e3ea08bff53a192ce5394f502fd16dc2b7020e9105302d8fc4cddbbce42f54cf61ddb338b5e7970824a

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
74KB

MD5
b68ff10e2eb848475dec0535b0e4a403

SHA1
422c1d81c1a708619809f66180be0cea0dfb97d5

SHA256
2fa3de5704aae27df7e4965e1433f336e86e5dc03f0b7aa49d434ace73b50ea2

SHA512
6ba714babea2d3bd6351f6d54abd451579f074f3ddc546095dc5628609250124e043b84ab890d47ce03d8571e012a0f4afb1d5eaf2d07dd0c7cae085110bb623

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
74KB

MD5
9b57797bd8484b2a7e0ad33b63d92afb

SHA1
e9d5e14a7a95f98681a7f07491529e1b171f7a29

SHA256
dbfa40ceb24f423d0f239e847ddc06ff1a461984617c2286f99380b5344e1c8c

SHA512
f17e00e1926f85b5b6258a4aa45b887832f3d3812bfd65dd80bc15377641e7c1756336cfbdfff079602ca932490fe0a3a68edd6ca8dded765492766397b1ca3e

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
74KB

MD5
7af0b88ded6f353b334b607ffae15fb0

SHA1
38fbbcdc765c53bcfa268dc3ba019e8af919bf53

SHA256
c6f6671032c02175535716fe24cfad89d9cb6089f0b91c892cfd296bfa4eb81c

SHA512
38ea5e6936582245c63054327125f3bdca5f0e652aa52a195dfd71d72dac9a2b493aa248c67db8f6a98a05b0ba26f85a42c1aa84b30ec8ce8da33a89003e12db

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
74KB

MD5
17be350fbde6186334a80f2867480e18

SHA1
338ad9e32a94d471b31d61f7a3d6210c9574c248

SHA256
aa782afbeda5dfe14c3a5ecf2439aae1d2ff644048bbafedfd95927040169eb9

SHA512
4da4609dc7cfacdc742ed9ab4c7d31afbedb3c8229df2b41c711996c5d2b184221c4246175b8ec4f8920547c4cafd23d2d995b0214f42f6bd07360a57a03a8e2

Download Submit
memory/320-360-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/320-366-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/408-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/408-229-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/468-141-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/468-459-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/468-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/580-90-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/580-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/580-409-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/592-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/592-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/704-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/996-294-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/996-288-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/996-293-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1064-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1064-181-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1228-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1228-432-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1228-116-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1284-237-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/1288-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1352-258-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1352-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-219-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1476-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1536-271-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1536-272-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1536-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-460-0x00000000002C0000-0x00000000002F7000-memory.dmp

Filesize
220KB

Download
memory/1612-450-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1644-304-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/1644-305-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/1644-295-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1704-273-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1704-279-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1704-283-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1724-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1724-248-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/1860-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1896-910-0x00000000771E0000-0x00000000772DA000-memory.dmp

Filesize
1000KB

Download
memory/1896-909-0x00000000772E0000-0x00000000773FF000-memory.dmp

Filesize
1.1MB

Download
memory/2008-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-204-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2108-390-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2108-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-332-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-337-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2132-338-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2168-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-501-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2204-492-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-439-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-449-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2404-420-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2548-486-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-350-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-388-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2660-67-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2660-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-53-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

Filesize
220KB

Download
memory/2700-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2712-326-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2712-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2712-327-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2720-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2768-168-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2768-481-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-339-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-12-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2884-13-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2908-155-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2908-471-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2908-470-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2932-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-437-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2936-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-438-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2964-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2964-411-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2972-430-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2972-415-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-422-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2980-375-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2980-381-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2980-380-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/3048-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3048-34-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/3048-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-314-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-315-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/3068-320-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads