berbew | aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8d

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
Size

64KB
MD5

e16b7693e427861db5c02fa5b99ac5c0
SHA1

9713350d3863b9b0e78196da92f168d076c47d91
SHA256

aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8d
SHA512

313290fe2440d4ceb6a914e1bd812be0b12bff15e3046284314247c85b078852788195181a639983d902c8f7728c90b897ce8d89edf42d6f3aad5371b1d62b20
SSDEEP

1536:t5uPBWYymWui4v/YAIs0Zx2DYMamemmDSSXXUwXfzwV:2ZWYywiONIs0Zx2DYTmMdjPzwV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onecbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2596	Oegbheiq.exe
2812	Odjbdb32.exe
2700	Ohendqhd.exe
2664	Oopfakpa.exe
536	Ohhkjp32.exe
1480	Okfgfl32.exe
2084	Onecbg32.exe
400	Oqcpob32.exe
2968	Ocalkn32.exe
3008	Pjldghjm.exe
3016	Pmjqcc32.exe
2768	Pdaheq32.exe
1064	Pfbelipa.exe
2176	Pnimnfpc.exe
3060	Pqhijbog.exe
2172	Pcfefmnk.exe
844	Pjpnbg32.exe
1376	Pmojocel.exe
960	Pomfkndo.exe
1352	Pbkbgjcc.exe
1540	Pjbjhgde.exe
2196	Piekcd32.exe
1992	Pkdgpo32.exe
2456	Poocpnbm.exe
1548	Pfikmh32.exe
1556	Pihgic32.exe
2756	Qflhbhgg.exe
2896	Qijdocfj.exe
2644	Qkhpkoen.exe
2892	Qbbhgi32.exe
476	Qqeicede.exe
2980	Qgoapp32.exe
1968	Qkkmqnck.exe
816	Qjnmlk32.exe
2956	Acfaeq32.exe
3040	Akmjfn32.exe
1160	Ajpjakhc.exe
1612	Aajbne32.exe
2008	Achojp32.exe
1080	Agdjkogm.exe
1108	Apoooa32.exe
2356	Ackkppma.exe
1956	Afiglkle.exe
1000	Amcpie32.exe
1804	Aaolidlk.exe
1696	Acmhepko.exe
2656	Afkdakjb.exe
2128	Ajgpbj32.exe
2856	Aijpnfif.exe
2640	Amelne32.exe
2600	Apdhjq32.exe
1344	Acpdko32.exe
372	Abbeflpf.exe
1496	Aeqabgoj.exe
3000	Bilmcf32.exe
2992	Blkioa32.exe
2688	Bpfeppop.exe
2092	Bfpnmj32.exe
2240	Becnhgmg.exe
2468	Biojif32.exe
2036	Bhajdblk.exe
1060	Bphbeplm.exe
2160	Bnkbam32.exe
1720	Bbgnak32.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
2596	Oegbheiq.exe
2596	Oegbheiq.exe
2812	Odjbdb32.exe
2812	Odjbdb32.exe
2700	Ohendqhd.exe
2700	Ohendqhd.exe
2664	Oopfakpa.exe
2664	Oopfakpa.exe
536	Ohhkjp32.exe
536	Ohhkjp32.exe
1480	Okfgfl32.exe
1480	Okfgfl32.exe
2084	Onecbg32.exe
2084	Onecbg32.exe
400	Oqcpob32.exe
400	Oqcpob32.exe
2968	Ocalkn32.exe
2968	Ocalkn32.exe
3008	Pjldghjm.exe
3008	Pjldghjm.exe
3016	Pmjqcc32.exe
3016	Pmjqcc32.exe
2768	Pdaheq32.exe
2768	Pdaheq32.exe
1064	Pfbelipa.exe
1064	Pfbelipa.exe
2176	Pnimnfpc.exe
2176	Pnimnfpc.exe
3060	Pqhijbog.exe
3060	Pqhijbog.exe
2172	Pcfefmnk.exe
2172	Pcfefmnk.exe
844	Pjpnbg32.exe
844	Pjpnbg32.exe
1376	Pmojocel.exe
1376	Pmojocel.exe
960	Pomfkndo.exe
960	Pomfkndo.exe
1352	Pbkbgjcc.exe
1352	Pbkbgjcc.exe
1540	Pjbjhgde.exe
1540	Pjbjhgde.exe
2196	Piekcd32.exe
2196	Piekcd32.exe
1992	Pkdgpo32.exe
1992	Pkdgpo32.exe
2456	Poocpnbm.exe
2456	Poocpnbm.exe
1548	Pfikmh32.exe
1548	Pfikmh32.exe
1556	Pihgic32.exe
1556	Pihgic32.exe
2756	Qflhbhgg.exe
2756	Qflhbhgg.exe
2896	Qijdocfj.exe
2896	Qijdocfj.exe
2644	Qkhpkoen.exe
2644	Qkhpkoen.exe
2892	Qbbhgi32.exe
2892	Qbbhgi32.exe
476	Qqeicede.exe
476	Qqeicede.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Onecbg32.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Oqcpob32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Jbhihkig.dll	Okfgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oqcpob32.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Lnhbfpnj.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Onecbg32.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Odjbdb32.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Pmjqcc32.exe	Pjldghjm.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pqhijbog.exe
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Ohendqhd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	2504	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbpnl32.dll"	Onecbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onecbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Acpdko32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2596	2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe	30
PID 2840 wrote to memory of 2596	2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe	30
PID 2840 wrote to memory of 2596	2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe	30
PID 2840 wrote to memory of 2596	2840	aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe	30
PID 2596 wrote to memory of 2812	2596	Oegbheiq.exe	31
PID 2596 wrote to memory of 2812	2596	Oegbheiq.exe	31
PID 2596 wrote to memory of 2812	2596	Oegbheiq.exe	31
PID 2596 wrote to memory of 2812	2596	Oegbheiq.exe	31
PID 2812 wrote to memory of 2700	2812	Odjbdb32.exe	32
PID 2812 wrote to memory of 2700	2812	Odjbdb32.exe	32
PID 2812 wrote to memory of 2700	2812	Odjbdb32.exe	32
PID 2812 wrote to memory of 2700	2812	Odjbdb32.exe	32
PID 2700 wrote to memory of 2664	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2664	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2664	2700	Ohendqhd.exe	33
PID 2700 wrote to memory of 2664	2700	Ohendqhd.exe	33
PID 2664 wrote to memory of 536	2664	Oopfakpa.exe	34
PID 2664 wrote to memory of 536	2664	Oopfakpa.exe	34
PID 2664 wrote to memory of 536	2664	Oopfakpa.exe	34
PID 2664 wrote to memory of 536	2664	Oopfakpa.exe	34
PID 536 wrote to memory of 1480	536	Ohhkjp32.exe	35
PID 536 wrote to memory of 1480	536	Ohhkjp32.exe	35
PID 536 wrote to memory of 1480	536	Ohhkjp32.exe	35
PID 536 wrote to memory of 1480	536	Ohhkjp32.exe	35
PID 1480 wrote to memory of 2084	1480	Okfgfl32.exe	36
PID 1480 wrote to memory of 2084	1480	Okfgfl32.exe	36
PID 1480 wrote to memory of 2084	1480	Okfgfl32.exe	36
PID 1480 wrote to memory of 2084	1480	Okfgfl32.exe	36
PID 2084 wrote to memory of 400	2084	Onecbg32.exe	37
PID 2084 wrote to memory of 400	2084	Onecbg32.exe	37
PID 2084 wrote to memory of 400	2084	Onecbg32.exe	37
PID 2084 wrote to memory of 400	2084	Onecbg32.exe	37
PID 400 wrote to memory of 2968	400	Oqcpob32.exe	38
PID 400 wrote to memory of 2968	400	Oqcpob32.exe	38
PID 400 wrote to memory of 2968	400	Oqcpob32.exe	38
PID 400 wrote to memory of 2968	400	Oqcpob32.exe	38
PID 2968 wrote to memory of 3008	2968	Ocalkn32.exe	39
PID 2968 wrote to memory of 3008	2968	Ocalkn32.exe	39
PID 2968 wrote to memory of 3008	2968	Ocalkn32.exe	39
PID 2968 wrote to memory of 3008	2968	Ocalkn32.exe	39
PID 3008 wrote to memory of 3016	3008	Pjldghjm.exe	40
PID 3008 wrote to memory of 3016	3008	Pjldghjm.exe	40
PID 3008 wrote to memory of 3016	3008	Pjldghjm.exe	40
PID 3008 wrote to memory of 3016	3008	Pjldghjm.exe	40
PID 3016 wrote to memory of 2768	3016	Pmjqcc32.exe	41
PID 3016 wrote to memory of 2768	3016	Pmjqcc32.exe	41
PID 3016 wrote to memory of 2768	3016	Pmjqcc32.exe	41
PID 3016 wrote to memory of 2768	3016	Pmjqcc32.exe	41
PID 2768 wrote to memory of 1064	2768	Pdaheq32.exe	42
PID 2768 wrote to memory of 1064	2768	Pdaheq32.exe	42
PID 2768 wrote to memory of 1064	2768	Pdaheq32.exe	42
PID 2768 wrote to memory of 1064	2768	Pdaheq32.exe	42
PID 1064 wrote to memory of 2176	1064	Pfbelipa.exe	43
PID 1064 wrote to memory of 2176	1064	Pfbelipa.exe	43
PID 1064 wrote to memory of 2176	1064	Pfbelipa.exe	43
PID 1064 wrote to memory of 2176	1064	Pfbelipa.exe	43
PID 2176 wrote to memory of 3060	2176	Pnimnfpc.exe	44
PID 2176 wrote to memory of 3060	2176	Pnimnfpc.exe	44
PID 2176 wrote to memory of 3060	2176	Pnimnfpc.exe	44
PID 2176 wrote to memory of 3060	2176	Pnimnfpc.exe	44
PID 3060 wrote to memory of 2172	3060	Pqhijbog.exe	45
PID 3060 wrote to memory of 2172	3060	Pqhijbog.exe	45
PID 3060 wrote to memory of 2172	3060	Pqhijbog.exe	45
PID 3060 wrote to memory of 2172	3060	Pqhijbog.exe	45

C:\Users\Admin\AppData\Local\Temp\aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe
"C:\Users\Admin\AppData\Local\Temp\aebd5186eb40fac5dc28e3e75db62a591a092f3d9f01771a3889237292c8ee8dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Oegbheiq.exe
  C:\Windows\system32\Oegbheiq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Odjbdb32.exe
    C:\Windows\system32\Odjbdb32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Ohendqhd.exe
      C:\Windows\system32\Ohendqhd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:476
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2004
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        81⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2268
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        89⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 140
        90⤵
        Program crash
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
64KB

MD5
57de737a0d0c3339aa9c4893d9b7105c

SHA1
2d76b79d24e170a38dbffcbf8e2986c10a76faf7

SHA256
d57fccae1cd0fc48b50ae09490158b50ec11f1af8e111dfdb2d90f3928a8772e

SHA512
a54590b03bb2b46eaa1cb997e6fd5294bf1a694d601a2d28cef0a5967560362c2362db29feacd5b5f17de557c6224aa9d5d705df6c94c593fd8b28489c8b3bef

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
64KB

MD5
06d8b7dbcee81921ddd3475dafc60188

SHA1
b7e200e08ae2adafcf819ca22c8ffe4f7e9fad60

SHA256
daf288065068cff28b38c57fd9fbba3bbaef33331706977bec77651b4adfa081

SHA512
3641d5f3bdadcefbafe81d522280a30e801b582368d4f096f3cd681af4f6dbe46606832974fb265164ebeebd1cb5781bca7464bec3044739e70e5e343773fc0b

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
64KB

MD5
717673d39db275a40a032c8e53c90495

SHA1
1d6c24c7c4207ac9e2a63323ed3a1fa818db875f

SHA256
84cc8571c71a2c80805ff63011503d798ab0da42f16d7863e25480eeff27f457

SHA512
5b9d432ae401289491924e7b485cdd01375ef2124792b5b0384df643bbeade84b23ac5adfd37a3c2aaaa99d0ba92b53e84ce4800193e05a460dc7536f86b627f

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
64KB

MD5
f349eabf86da4640110fce5b9d5a4a52

SHA1
6a16c6befb575b4b15cded68baa069477539b179

SHA256
9d53f91fea22ac77cb6b0a11ec06594f4a5e982cc15627b2cf017b423ad06c71

SHA512
e6b09ebd46a0eb3346bf5a53dacb0690ba5e45003814c3f5d8b8e67df0512b802ec3670a1928a67408f9aa93882c68fd19495149bfddb5fe5375e1c98e9d9b69

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
64KB

MD5
258c5c7beea785bd2ea9f75ebfdaf9a1

SHA1
613e4b944454c9dbc8470b670d413e290e484e81

SHA256
ef41df3235958bf2fc09807a0367a697a9f7108ef787e4682c78a88a04d5838c

SHA512
9b232418570fa37f4955b21c166097eb3cd69677351ae0b88bb385968f1cff10024a2b48eb71d089c458449f15fea1003e3729cd4a2c32a42b73121aae020309

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
64KB

MD5
3761e78206c20a68589bb22f15071ffd

SHA1
e2c1f76327a0319747199ae19abf86899307e029

SHA256
9916421a215330da38cc54a721f7647efb0cec4e0f028fb7dcd9f7df44ff3184

SHA512
b51b9363e504d979791904c68f81d69f4fc5d68c371742b6d62a5352b76839a8030893723a4692ca465c1d6fdc17af3c3f0aa42d716bdbe4b399f2c691cab7a1

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
64KB

MD5
c13d9365b49f23de72d16dbf8ade8355

SHA1
ed76fbdde37396b23f1f3c18dcd30bc0fd4eb29a

SHA256
f0227c382f722f1f46290875d468920bf6cce9cacd9dfbe306483212f35c793f

SHA512
35381f5a0dfcc5b8b0a242b5c2814757883ef6997677018c007acd48e09784d398a9f88bdb6be9c562f5a0f7ff3a65cc86f9bc5569fa6bb895980f009cec825f

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
64KB

MD5
d861f3255e2b5f0ffa644ce5c32c6c52

SHA1
a47e1be75d5215396e146348c3c5fbcb40b826ce

SHA256
dd244f3ca5683c3bf461a92f03597cbd19cd4ea85a8a469ca4c16d112a0e4160

SHA512
0f987a9879d53264dc5e616e7d37e8991946a8c2ead85b6f5a78965a303122650bdfed140bd2c976df100f3d26ab177678cda0de654cfbf17071a01f8e03e68f

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
64KB

MD5
275c91a5440dc9177d569c0036c0bed3

SHA1
29bfd1b2584ed20e110a35419e70e7a024930dcd

SHA256
65bae35ee81337855a3318f257f441dbe5089637e5ed6be78c3ad68043843a19

SHA512
b44fbbb2cc401c71bb79d70fe15b68fac56e099003b93a5939dedd9a0968b10bcb9184be199358b90854f25fa1cadf7493029ca9ca3f0948d0d8a05ad0646435

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
64KB

MD5
a40e94dbcb5525babfc4a426e6c8b926

SHA1
5ece05c39cf00f7b795d0300b692ec3a0aa8818c

SHA256
565687dcb539569d679a631648bbc969208d616522691b3b591be58226f8146f

SHA512
8fd51ebb5b3709afbe20b620f4e8b57f9bfc88aeaff5f127617adfb96d51899fccf8682998fbea31d69cd4d9fdfb4f190b69137340d355361977c68e90eadc22

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
64KB

MD5
c281fb231f4e9119f90d00ef76a0b9a8

SHA1
104151ddebee91aab8fd7fbb9460b3252d95bc8a

SHA256
805cb66f970a08dd4401dd7d240623d080daed9f1c2f237087704397eb850c99

SHA512
fc60363ca839a86ed7da5c907f93915ef7a86138cd3d1a8aa288e8aa4737b443ffe8aabc539c131e568c9845877b39132c0960df8aad639ab4a33952ebb64183

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
64KB

MD5
b045d9fcdce00d0801165c5885ccdada

SHA1
fdbc54128040c71962cff4539e8d6c19beeb2369

SHA256
ec25c2dde43aa90c3a2f45c7c59c5c5deb88c9447249a755a0010f5ca6b509cf

SHA512
add79e4347c2a702d16b4cee510fa3b20dda3192fca5a3ed9866e6ff70cb3d5a0eaceef92971d1d9ef0619fbcade3f4d70a16562363b0f3f3a3b8b0ea02b3c32

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
64KB

MD5
a4c6bb8c6618fa24a5559a941202fe67

SHA1
e47a45b0ce1b1c7d3758629c1d283c432a562c68

SHA256
a8eb19cdc163b3be149ff5cee89ca75f12aacc4b9687f56a1464e8ab37820568

SHA512
efbc388261736f8263c93c52ae8539026c779b757fb8201118d65ea8a9039abc0d92ff3312b84eb56c557c4c69ed2d91ebc728b624a8d085b6da417eb0df9eb5

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
64KB

MD5
06ce3dc13687cf6d9a8be5f58a20b5e4

SHA1
b5844469d49c4b446aecccb4d3fbfd989e1d390e

SHA256
7f4f327f5cea0bb7c57e44d3b8fdb266b60ee8cff9c28edb3eec2d1d04f669a9

SHA512
1d384ca3609df734200eabdf40c07af998764074b782804e444f78987a344fad5c8d45e2995338460c10336b5c3e26063773efbf04fcd14810e09f4dce60137f

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
64KB

MD5
0688b5060d3857768461f19c7e87a917

SHA1
e5dcc3f2587c84734c636c65b23b940bbb25dd17

SHA256
93cf64c3910cd7804ca5e5a3b72d8b7b7cdbf12d3250e7b04c67e897eb1d0613

SHA512
bb747275d5b8c168ebff5c0a1ab77fc82e68f312662aa417e1866c71096de78e71a46c98035c964718b524ea127b01ea6a99ffdf800b1c2b9867c79d63e36316

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
64KB

MD5
ae50b73d096e1fb001e464527cb2f4f6

SHA1
68def97d05ea3e595121519ff3e883cdfaed8032

SHA256
ecfa40c668ad249a44e94ba81ddc1d624b1c9dc4798616e607184641608dda81

SHA512
8e5e5e4090fb738ef8262b475fc3bcff278910414072c23a34b78e294bb00360b85c78122039639b4c58819c333635808f55ea7dbe3f6b5b814f720a02e08de9

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
64KB

MD5
a8ae47719099c17ee39d683cdefedfaa

SHA1
e6ff64c8e8d11d42467ccc7aaa24aba38aa2e816

SHA256
1586bbf2d0298487228cb8620107a6f979f309e064fb08ac0445b65d42665a64

SHA512
653e4fc5bbbdb2c24e9e7f18409ddf926c533588c92625d2ea88cb5d5b82768aeb7289b092445cd9ce1645b2cabd129837e0839a3b97709731bbd4279390f5bf

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
64KB

MD5
c790d1a153d7b3d2490205d62e6030da

SHA1
047fc489530be5db385d0ff3fe1712e79afbc79a

SHA256
2d1130a31308f938bae2b093b0eaff21844db57e4eaefd0c18e51ecfcfe5f3d3

SHA512
4f8b931a279cb971a6a02e4a7cad90f02933c6b61381e8882f3c1ce4050f81d73e2ddceb47daa48ae6c20b3c38cf6fffed0602992e513818ce1decabc4e31acd

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
64KB

MD5
ef95747fb50826cd49b005d37ad1f58a

SHA1
54a738f3f39b9286e62c46c3b8a7fdd6b7da3370

SHA256
a2d3075a846967fe608311c003d5baaec5c560314d4487ccd33686c8bf4bdc6b

SHA512
6b0f915c77f1afcfbf8165d3b1d707905d42348aa03ffbb37ea50243e7be87ab134558748675fdedb6edfd210e338ccbeb8dc5107981101cd83b9563e4716eff

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
64KB

MD5
f26006299ac9d0dfa407128c2bfa0ac4

SHA1
b1361658e3c91aa36431fb6eb0d3c5d6ea7a8038

SHA256
a562458d74cb48b07ae264d9f33e760accdc77f4889f7d40a9f8c516aeb71bc2

SHA512
ec6356944f682042c801f33988c190fcdc61b0a1715fb8d15494eaa6808146fd919d7c79e6237f3979dce6953014fe6e8a3986106df8244a66988b998414903a

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
64KB

MD5
680dbf6890fe3d59dc0e403b28445ddf

SHA1
7828147df9901c4b5a46182081ae5434704c1585

SHA256
0a713f6b41ae588031d9bc6a9f3000e7c2bd01570a9f34f84ba6090abf1401df

SHA512
244aff59484d388a956e9910152a62c25624eb64863b47cc076bd59d4c77804d9016be227e3ab882cbd25d25f06f5c76be774c71afc9b5dfa9c99dda2c431e26

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
64KB

MD5
89d35e52a5ee54cdcc81e2a3a343a50e

SHA1
2996125a9495e074d31f727d3a8bb1a53f158cbb

SHA256
30cc6605ca088a49b9177b0a4fedc2870b21f597772a254527a5f5e2f19c0d2f

SHA512
64173cbe4ca30e002c505b31a3d685d0603cb025b7340776187b053597261187c1a33f638fd90ba95f88b2395e14d3b652d8659fe926007129a173ae475eb1fa

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
64KB

MD5
e0600b86ffe54150dcb754ea8a7fe3b8

SHA1
f458f880262d631e11a29eb1f05377d8c514e216

SHA256
86c4507e008c0e15a9d83850f4e5691eed51807490bf9263be61deab4f7913bb

SHA512
35e6d6c4ab5cc3d852f1c6ca96fc0f8328cdb644c99540788358886678a7fc14d3eb65620682451c60af3b0ea7d2ca0e0981a1c8a2917e48c30f70b7634edfef

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
64KB

MD5
12392c43b7a231e43e4ce838a46c8670

SHA1
fcdbdea95dbb556103058040fd97dc7ee9e7dbd4

SHA256
61b928e42b4224afb23e0c4eb4a5408e7e64ccd372e12e611e3bba9768f67649

SHA512
487cda6942b40cc71130b468639e4c73f93b2fede5af55541d41238c2d6cad3589cf405c831825e835200e94dadb1a5107c0e9a93b97041e6cab560778d69ec6

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
64KB

MD5
ef04cc03885354d63a5dfcd54de9f58b

SHA1
054394b80903c91d9bd8bc9cf5d163132e979361

SHA256
2dcbd6bba6e8313f262e1cedb185568f3dd8fa0c8f83fbb41a79627386b2546b

SHA512
05570cb7c8fedf5695942bf800a708902a274e8999a5ebb96214e39f1fabc65b670272cd48a6ed917f12f2250e24b8144c8b25c28744b5fd35058e89efad8684

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
64KB

MD5
01f9a484336a7568f20a4bc23b03c082

SHA1
fc58c990c2e14aede9eaa3189ad23797739ab7fc

SHA256
75500b0a4be63022b684fb73e425d85b6448658f742dea6bdf83435ed5cb57bb

SHA512
213f329b035190b50df682f0ce03251e3846b64aa99ba52b877c8d996f1974fa557bb7e3034476276f56bf9e10c23ae98053bf696abac9f9f678fe2082339146

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
64KB

MD5
a0c26bfe420c6b12722f066d7723ac6c

SHA1
adfff5e090d30043385f73960006a410cffeea9f

SHA256
c89cacaa0fb9f47e0392e53bb58be74e648afdc5a8b3f3af1aad431dd9f25acc

SHA512
77800cf987a6a490799a3cab08099e12c56354bf6f0d3656a8dc36003e571affb2a1b2bf84cb6c5dfcc133f408732b8f61fff05bbd1c73fe320b2d2de8872bf7

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
64KB

MD5
a3dcbed2938f78b2c32f3eb75316415b

SHA1
e0950100d2a39c4a06289b8da2416667c8e1d621

SHA256
38cf591a43455c7faf4c6b55bef904de44c29e9b80cea5597793200687f4c6f9

SHA512
665ccc19907031477aa78ec3731d318d00080a25169c91825bc1bb4588df33271a47016fc1191e306c8503fcc8ffccef394a2d00e2e6c2e7468b8b99de5d704a

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
64KB

MD5
623a288d207dc5d4d6973d10515e909e

SHA1
cac9d5c1d1bdb3bb74e270c81eab1575ebf30b1d

SHA256
b546437ece14ace4b8cc8f76163fb0f60a77600a1058d3c15a79c8dcb57de697

SHA512
80fc597e0468a693d6afbb71f474a218ae8979f84063b889a64d062147f4547894da4c16d78cf15ddd630293e6c2e50cb4c4bc9dd5ddcba72959f9f540064eb4

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
64KB

MD5
7ff0112328c775ffa605fcde33a15577

SHA1
1c580f51f11432ff24d26f5bcde2f71f14737177

SHA256
1aba1b50300d5799d9fbf1903b6466b0cccd405c4283c4e9e4fab9f6ec1627f2

SHA512
b6c6fc910bb8cfd53e7a36149302c352131057f79901b84a67dc11c0c427efda31016228f85b6ac5ca29e515a21ce3ffeaba771d72cc79caeb601f7e6975d7ab

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
64KB

MD5
bf363983ce3ce8127a78eb88ed00f550

SHA1
70d777da3c6dbeb2827129eedbfd7f4c1aa17877

SHA256
9d50a37241b15e4f67766b6f61137dbd97bead77f68723bb5a967a083382f23d

SHA512
6876a617fe236f650df4e80a8e2b2bb8072333bf9f84dab04f9d883821c4ee66d08cadf95a770aea0dd47912f8e895062b32a2442f2c571573157e773a1d1627

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
64KB

MD5
7ed2faa85fb31fedfebe481e09f4a3fa

SHA1
9a3318484b6920031a35d7e95972e0409b4e82b9

SHA256
3ac3c9716632e8e83988467f75c9b558d562f8515f97fa8ca78029ec5b9b494a

SHA512
7c055d06b899db9e42d181cc51a1382a335e0b49a1b68b57d3f11afdb7023818dc7b95f527447d04eab8cda2fb6a1d030a25913fda711ab1ad978370565594bc

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
64KB

MD5
3b6e23f1a093c9647ac8be315feb25e7

SHA1
a681ed3caf6dc920a12a34f932b766587efe0c2d

SHA256
572ba0d9c5845634f81e53ee02956eb63298e991f3edc40666500e8f2b03d8eb

SHA512
477520e78db46257a00a46b51f6b1e3490fb2fc9bdb9ecbac1b9cdc22fb66a685f7772292da7d125c8a798fd8c7f8235b86df7b5e82cc20b47a92cce1348dd2b

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
64KB

MD5
3556cf7ea0422861fab535324867bd19

SHA1
8954ccfb42ce0c476a90f6708434748864ac145e

SHA256
b315e088c30d9393bd72818b69e98755a3d7c1be15912a2da302805b9a3b4776

SHA512
d2c114181b86b8d5f17804add9a266b7607dbdcd63bcbecbcecb95dea5bc076604a105c08aa16c3992e128636bea5d249cdfdf234d4bd4076feeb2b6efbd0521

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
64KB

MD5
0d730cd24e8d5644fc085d6c4b83bf88

SHA1
b4bc7d4229c3a1252007e38af12e8fab21668558

SHA256
9f17c44c34f71122f502e116b4eb1ed47a65d07224b0a17fdd7bcf73cfb36668

SHA512
9033833af128c75d76784fd027fb62cee362b6a9c95e4bb520d64134e2a2ea2714def102b75ba3047073fd798e8ca4ec16a10490ae803d86d7916c41c8692e43

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
64KB

MD5
6f947a908d58e7c830a66574f963aae3

SHA1
c70dbe8eecf5947782a61bc3ba0990ebbefb620b

SHA256
d3e67cd4ba5cf58b2a091a3103786ea5253e7b82769a42d4d049b953d9570749

SHA512
18dbd7504f19b88c08c90fe55c1946bc8334cd8ed0b8c66759a89779133763cb5566942190e29ffa3356a0825785528199b97fab5bb74f7497aedad596b00231

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
64KB

MD5
598e059de84ba406f594cf55e2d7c3e2

SHA1
e991f29369ef01fede32b5446c7d5e280890cc58

SHA256
f7edc5a1e1f6fe5192f9c6136f64a13a040fca05e90fbb31f1561929ff035b65

SHA512
a522d2ffde781f5b372a21d7a3b2c8ef395700e3335695e7a0dc50204ff7c86097fd6a659294948b5a7b75a6aeba316e8070f274a47dc2df083ce5948dd4de8d

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
64KB

MD5
b9e4f23ecc2f8ac4efead882959356e8

SHA1
72670928bc002f1f08e279a9265e751741188fe2

SHA256
af8ce1288ae47d1feb0d943d07176a39c570a82ef91250e41bd8c19d312b1c9d

SHA512
9b055fd6c69dd334db9d31b95f8307f8c303040d8892ba21de84de0d3a9bcea0e13632acd6a3079c258279c28f32a14aa422db352474b2fe48deedf87e83b981

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
64KB

MD5
358eb357eaf41c3ee5a7ae73aad949fe

SHA1
e3c56d3b13a8d890927460ae7fe8960019b12cd2

SHA256
e56c1b7cc77047057f09fd3817d20098f57724b8251d4b5ca318c4ce1f55a662

SHA512
75db208e3ac1f785f1d00375f4731dfc04784a63bd8441343df57cd1781faaa5a1cf69a73e8bf143ddb56157e1dfd5e66a3661b85e32ce00b662ed9d76846b0f

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
64KB

MD5
1e569c403460c0cfda41ea76d752dbe0

SHA1
f0d737e49d9939364712f7d036f2359f21756503

SHA256
46e99cab26a523748dbebf18cadfe2773574092a816ee6a80de4bf6e2acdeb14

SHA512
9987f0a8336044fae6adb1f60fcb5b49d42998385dae19e861d1a832fdd56bd53d5884595439215e4bf8a9fce223b988a62d83fca611e48a680b1298a2c825b2

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
64KB

MD5
768e9a44458adb4af7a559c9abdec4f8

SHA1
16243cece6dbb2c6c448df0ffeb0a3280d9860d1

SHA256
2f1d67a40936dd2ce04abfd110f108cf104f8af52137327b1554a469c4541ca0

SHA512
ac4fd6f7c999e45572a022c84e1dd59ca348a0d01d555438c22e9e6a4d70baad431a040d8f88057ef0da312b5dde483ef6f7ce11982f5c864fe71d8959c6b3b6

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
64KB

MD5
0315d11cfd4c0f34b22e35759109afc0

SHA1
e578d5463259404a700f97f331351db8930d1933

SHA256
287ff219daff70a4332ec100ded49b92da8811c0907320912711566524d82d49

SHA512
c68cc7f7ca2987a8014a7015107ec70e35358f241fb58a0f8a7bb25b6b6c4a5151bb540a86cf33bf05c25ae1b03dd30dfdbd2ad6a04ba874d4e9aa9de3f2e28c

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
64KB

MD5
b834524e51fa90657346fd9cd7a97734

SHA1
2e77481183f7ce2b2b077bbc53c4fdf31f59294e

SHA256
43960bfa10f47c8eeb6b4d74a14b3a89096375445c8231c12698c5e2e1939774

SHA512
ba383671cf155d4eca943fea0c5608cb5dc0aa1ceb6fba1a32ac02a93aa433cffa637691a97662cc2f06914480ff7c65547336b49165792ed41f39be85bfc401

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
64KB

MD5
ec49cec73fc09f586287fe6ac368faf9

SHA1
ca03ebcf4d7de0b71ad192e32f6625497766e0f9

SHA256
e44334a91f64bd4ed6ac7c255c73c506a9f738c6910f9354cacc54ee07fe6222

SHA512
a1a083bb949a589195d6719829374d91911b636d5ab76d7cd7b49fdc12c651078bdf061db46ddb6454c5d98a617c676ed1eab296d536015aadbb01b74bdad9b5

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
64KB

MD5
a4d72d92bc730f8e80a5182dd08c91c9

SHA1
8617237851eee8e2fb96c66dde8dae5949bef4b0

SHA256
18a8d3c23b54c3708a3cf0c2d5607b7068649bb78722a4ef153fbb304f3a250f

SHA512
587602009372d0e56b9a1d3da6ccf219b0584f68fc18500c8a4197978271e5f2786af52dea98caf16bdd59af27dc22cd25455e5fe8ffb2a20863ac7c5be8007c

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
64KB

MD5
806e1aa7b3791a5d86d356dcd5d1e86f

SHA1
b47b061b90cd7305295c15eb98d91003a47f5756

SHA256
0b23f14bfcf80672e0e41b2c2f5e54091b57f8ef8b06df039e0772ae29fe5151

SHA512
714252945cb135eaaadc3c019e1958ecf0d36d8bd8b39d1397f55f3c18848e189f8c5ced339313a658f821940420a1828b433e40c1fd52953c672bc1b8e8a1ea

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
64KB

MD5
f6473eed7fa0857bedc14a62e0c6373f

SHA1
c43fdf2cc7f0b870681e2925bf25f227d5759920

SHA256
ef01e07cd12f0a8f15685e30283819dfc5937d6ee594f053013aee9db9a88715

SHA512
9a05ec40887f798a81bd69444654546e33279c91c54ef6ec005826f7f27d6390e0c662be5f42ebe739c8f4ef4084b111912cf6c0eed86cf6cec3584045edb64a

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
64KB

MD5
7fad9f1f769e93ca55e2b3e0f52e8cd7

SHA1
000e35e84f72267a415d16588c00db36cd96a9bc

SHA256
1f8c54e2da64c42cc953697a2ac0de0b76e458800597cbc50860cbda50072c5d

SHA512
287bdb1a9c52cb68b8a22d788970caf08922f5305bd55a36fbb6b1a6a236dadd1650abdf35b7b70cc55370e8cc45e96b5b1e199759f83b8f1f8e881c3fb3c7d7

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
e42ac3fb9f1c7a189500b3404436f021

SHA1
fd9186535aae60ce8acb49a547e2124b9a1df6a5

SHA256
a196a43abd1a2746df4789bcae9a3ef0120e342d365c41492a495b697a94ba8b

SHA512
62cd9a937a7242ba6c7d38cae6ed70ae1c7914ae1a10f5e084f7088b09b83039a803f5710b848d7c0c8e79f27bc520f5539cc9c0b63e861757963d69ae0c0d6e

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
64KB

MD5
bdcd5a6e2d391f145dc67e10d5a38b2f

SHA1
731d971283f744f85b4988ccec63657cf0661b4d

SHA256
9a4c4be3fc6cae0cf2b1349d57c0ef5a041fa3e7902a0f8982e2a6bc39efd5b7

SHA512
5eafdc72e17fe024a2435fc8b2a98818014ab46b0ea8954beebea46ae50ab670f21ab9769ead75a3fd28a6ef45f693d1891e3c73f16ccb9d43006db662b9df2a

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
64KB

MD5
d193c52f7bd943a647e86edd08d0f727

SHA1
34327759b05d85613b63a553cd2624a3e837856f

SHA256
0919ceb8845ffcda49a1a396fc2e69216dae2f55835e896943068e83131164ab

SHA512
199cd8606e63378773d753ff7fc76e4c653c14d0997c0dec1feeb901e3538d487ffcec3a06baedb737355be012c9e1f47c72ef03bd807493e521f98637e86fc8

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
64KB

MD5
cc43d0d8c81a590e8353ba8bd586963e

SHA1
de3e2cc660abc0eb53c4676f9f00459360a9ae70

SHA256
5ca1f871856ae31ea2c163ecca630808cca7927dbd09a6063cfcaaab778e0015

SHA512
62b47901d600e45e0cf92d9d1f5c77b70d1b7a6d7b97c2b1cd87664febefb8adee586b6810d6a535ea67952038ccb0bf14d17f7b2bef95ee01460d692bb8fa7d

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
64KB

MD5
75986315db870ff2bb356eb16ed9deb9

SHA1
52abb0a85bc5f343cb87764dfc36664fee16943b

SHA256
71bfeebe9b8a7d6265d2ba25aafba742f3b9826d0cd83ffe131db3b2acf7083e

SHA512
02d916df57007baeca24b050bd7d1ab9cda1727e35815eef2473ad623b5a3210f5690b97dc6969f40bad6e4cd31647e62664bf37423c97590eb3bb04541d1378

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
64KB

MD5
83918b22df605eeace8e071fb887fc20

SHA1
c10316c89807c7e850d15138646b75ab7294ce7c

SHA256
b5207adf911d8e96530765168923fb908d2db568f5b9047e970b8a734c53bb9f

SHA512
6db66ac34d614a02da51be8418a7091c25578a757c36a8d5a910eae872c5852344e1eaac32f6d3d30088ec9747af0db7c47113e532f869154999ca3ab10c101d

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
64KB

MD5
245e0d1c2d4ddb9d52c69c3dc9dbfbeb

SHA1
522f717cd72bb3be2cf414662ff4b2156486173b

SHA256
b8c2887c4dda7a6e24de3844cb581395b1deacec3eb7a259d4a7912da0119981

SHA512
15a609c4c30862f79b56867e03e9ed8e2767815590b47a0f4f2e3066e47fcc64e3cb4b3a910721ecacc01012c96aca37c84ae1f29e9a6aee49dfa1e68d55eff8

Download Submit
C:\Windows\SysWOW64\Okfgfl32.exe

Filesize
64KB

MD5
a5cc1a98345b67ea8628a0e1e038bcdd

SHA1
01ea8f578fa7598ae06382a7ae564bbc829e3f23

SHA256
9a5ddb763b84e1d9844a3cfc0ead0c4442be7061ba86a9e0f883c0f521f46a15

SHA512
66dab44564c64887a154d87a0869159718bf9f34dd910f200ee82b1c2a2a6ae84fb46a691af898c2b9e63a2227b9d1806c3bbccd0cb1f805f5d9b2b24ad49d45

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
64KB

MD5
cde83f8b2281b8998c186851d8c0455f

SHA1
5a33d392abfcc7c48bd0c366eb1e1cbc4d0ffc79

SHA256
1a5168ffd8c4d7d8d14bd3bacaec1001ddd5953e4221a64aa81bd7b8936ecb78

SHA512
cb352383d5f6c2ed59ed01546e49ead0367ab64b942de4d5a1f10d36a93ee8628537edaf4266d0d8bec44777aef953104ea2152cd21f39fa7aac5cd7d44587a6

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
64KB

MD5
018bc51eaa17161a102e7a2ccdb3277b

SHA1
01e61bad6dc132ebc083e83cf35aec5dc568da2f

SHA256
06efd4359c676c29974a80d27feb2055b57b06b90e24b4398bbceecb795b5a11

SHA512
e0102263c4a9a6b7a7a7e533734a352b9c818eace7618003a6f7c3e7b556f65b9657b39a709980e69cfc159d536efc4a3a5d1ac365922ef619016e5e91cd0ef1

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
64KB

MD5
518f5cc5573f3ab687a4ab399426a84c

SHA1
6d634456f66dae237a16d2db38854dadf236db50

SHA256
5dc21a08bc61d8af7217fc6964596e80cf1540f097b10a907f3da970de1082f6

SHA512
d676aee5bef619f3d1c96d5bf314b292ed8350eb4cc135653725bc3247f3462f5aed0385fd722d4e2d52fb7258ca6173e66720e322fd6bcb686dfa01b0409ff4

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
64KB

MD5
c0d52d50e98ed893e1cfc3421265456c

SHA1
c3813513063888354ca65512cfee857a12950a53

SHA256
e8423d8815e6bc2da9ee0e920ebc32606829a0a809da3c2098c5a562512fb6e1

SHA512
c28c1e64795f4537e1748b05e94dd1e279b14b6a8d8b4396ef2f74f83d57dba5c636ff0a47d82a57dd07b1e31087fcf3ad76af0e182cccdc451754a199667b26

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
64KB

MD5
ae5f507d6a744e04d09bdfa5122e76cf

SHA1
9cf1c8a7c6c319507eb754d415206adde69e320b

SHA256
7a7326c96024a0f0c2853041c22185f9f912b69ed64a039aefb58b9a3732bdce

SHA512
2665b79152a646332f5c5f336f40e6ed7f9b57c4d841f5fc4e35241cddd4385b341828fe0f319f2a7e6b439c5244e9853ecc4b5947c9990def04fc9499d048d4

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
64KB

MD5
af1b5d7ca605d0849859d67a4eecab24

SHA1
09ce716eae8b6b58ac293e00e08dba3c4eb4cba6

SHA256
720db7712601b7c51571765a4241f59b20cb92baa662298b2a511062b46acde0

SHA512
f6ff5ea10dd8ccaf58bd13db347f60ea270f4086d60878a8af1dc3e44de38cc1405fb7501045ef387c55f23d700221bdea01de783afdd5e453ec339460a22ea1

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
64KB

MD5
a2d64287d93bbd32319090d8d9ac80c6

SHA1
9ca107629b47ee8599648c04db72ab68da9dfdfd

SHA256
7721f5f09fbf3afffdd3f0fa44e45a1c46b4c64c06d2e57265f45626066de562

SHA512
f809d7ed145610252117eae8be9260510fa9cd29fe553921ec87ac090309eb9d226b3acc72c9696f7391d28320a058d7430cb12496906e13c9fd738e7353304d

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
64KB

MD5
da0067779da68719dfe8ab668d2c8b72

SHA1
14ba8e55e1fab3bd34bfd8f244fb9342dc3b586d

SHA256
138ed9dad9fa35f78435a98f6c26ee876eb2d55dd96e915d5eeabe2a80f77dd8

SHA512
f24417070cb12720c5081d0586e4382d62d1921159b0c00f465e6be5f9e10e074d050e17b0b50e916319d9271e78138ed36d70cc64039e1ee20e3da6091022c7

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
64KB

MD5
2b12df2c934c2fae35637b901d4b8b90

SHA1
355fccbbff4bc132e87065e045241f208727f80b

SHA256
4666ef5d744cc31360aa1a3835f194fec07bb3c70b1e9123978a1a679a91af10

SHA512
e8d29f7707edebe31d7cfbb810a2fd383fcbeed7dd01dd654b0064f820166db6f63bc5c0492026cd2ef2fd48940b93a1af07148fb149b47de5cd439a8a1e7706

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
64KB

MD5
12f44daa6069b388965ffbfe49472cda

SHA1
84bb5bfc372b8b181a2022e58e34eaaeadd2dcec

SHA256
cf58dc5de57329b6b072b7462d431a9669d5a90758dcc60e8e1d1e911ff5bf53

SHA512
652af8a5d1214462ae521d2c235e91120f441d93efe94f381308c8dc57d2112c45c09202c4c031df92840518d9369054a0d9c3a4ceebd8e94674e0911804006a

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
64KB

MD5
54c922dab96fbc054b45138c0af610ff

SHA1
cd8097dbe5ee8cb83457b7637e46689256a96af6

SHA256
543bb9fd450fff28a07fdae3f66ea0783ad2bc281ee317fb47a3b7b17077293c

SHA512
3365a1649e075106a1d3adebaa1df2a06e615812b9bf18e48680757144863b364fe58b9f90a9dda1d4e54cbc6dcce2a339c18724296006aebbdbb0330880ea92

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
64KB

MD5
631b205fedfe222d4cd80fa8204dce81

SHA1
8bddd99987803b8bf2b83d32b9592719ef85c039

SHA256
92b47eeceebe6d21d3f140414fc47f4b02e857619cd44f6d508faac1c68bbc5c

SHA512
70c5b70f2fce6ab11f952416ac963579e0e0fedbb4e74be2cad60fe870a02c8d0ba6c9f0e5b2a90aa4072b421f59962b9193c267e3203164c9355170566986fb

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
64KB

MD5
0c48273af551fe59a910607b105f23c8

SHA1
9aea29733d57470fde3ca672de73f767a309a462

SHA256
811cdc326b66843fb879ce4a4617b69f626a547fdbb5c36e9b18c5076b5e4dcf

SHA512
8522277f8a4296597ad1db317d10a06cf68e2417d425bbb667d8648986887a7f7ff15df2d1e31b4368f90c8a6a613df1e762c4ad46caca7fc6e8697f437e0093

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
64KB

MD5
2be3ad239b8c626c4f98fc041ac6671c

SHA1
97a3ac361b4ea13598edae4f3d67454138d01eb3

SHA256
d0156e77492dd214a1fcf2d66d919363c49db752d2176bf40205a3737dc29ac1

SHA512
1e95859c66237c0e94c3c53ef6eb8eb2fb02575ae35d55577aa6f6b005802799c3ee875fc5ad6b91a59f8016a8ab4b71bc449bb201541e5a39fc51c57194aba6

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
64KB

MD5
d6d3ba98a0598c5afc6416c82980f6c4

SHA1
c1f06bc22d09b48201bdabe38b4df29205053b2b

SHA256
d70452c013f57ba24ceae3bb9e1b2186efacd3a808a74fe1577e4e5b8dc6dc7b

SHA512
83d27c3eed3718ae1662bccfd33aba41846b8ea88d15b4273f5e49efd102b6ef35e55d71ad2f2b7c36d11ecea739b60e5c1a838f5ac205eaa2162006c7bf01ca

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
64KB

MD5
800cd3d495956c64765f40280db5c8a2

SHA1
257dac3861499c7c9469a70936cbd590ff0d2ded

SHA256
2a63a91bbdb3e9fb9c38e6619a40fc791e15348a03beb527fca42972d3c4c884

SHA512
995fc19f260c8578229a8a2097115d740fcb551a0cebb9db87b7aee7b40a3b529ca189bc1afc1ae3215c9b4314298c8c702beba5e4de13b4e31e0c59b3069172

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
64KB

MD5
239b1fa6288cc61e37b0d625e7f4249d

SHA1
81d06e5a7e1ae6a73b8e4b8d97bff4515f052a65

SHA256
82cb85e3ed1ad9d547630d892d2e5299243bc4cb4f01b84fec0a2868b6d882da

SHA512
f5f06a57c6d28b9447aaba0793b81f0901f53eee6ed8dfe12acdbf0a5c26bbb23fa319e769f0163148fddbb2cb834d0c22394a9e79f8ed6e46e198a4fae1741b

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
64KB

MD5
21100508fd19890e0e917d2ad5a00cb8

SHA1
54731f63916dc8f81384318a3bfaf15eff38a443

SHA256
85e3de19b667bbf3a46d1398cd1b33714fadc28e692ae63832c8d4f6cc23bed0

SHA512
2424f875987daf1774421c6eac7658e178ca7c23efed467266f39a8f12374eab11cd577f8494dcd4286a4ef4cc4e0af039292238af534a5c0359f0cbf41d6927

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
64KB

MD5
16e05487eebc680b2d32d76ec2355e71

SHA1
7452b115376b1eda9d53ec24e78022b6d4b82578

SHA256
aac6fb0c23af53d25e063632fa9344ea3d888d640665d079417fbb3c0f62c8d1

SHA512
4bcbb2d492629082b410a7012687850047ab122f323501e66668d5c0596c9383e5e4ee2c4c4b67b1f83f0a2b301f2b05bcfb96bedc8a3fdff5d5c545d7d24076

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
64KB

MD5
87a15c92cde67bd6db25972789ecc406

SHA1
d182a12310a956532909db5d2dace679179bf902

SHA256
850b67f0b1db92896f4313760796d8cda63ff1e1a51aa77a8ca9fb6c04f81b61

SHA512
eaacc8603a3c36ed896032bd325a7f42cff3e800c73402b2d00db507cea35835140a51dd599f805612407405d79fab8968acae43a3be0d808dfccbe610dc5520

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
64KB

MD5
35a193b3107406ddf7e404da1fabec91

SHA1
88d4e29a0598cae7b99d99aaccee1b7a7006ab4a

SHA256
389f7f9057c54a17f5a2177aa1e42be70a76ca1b6c05a7e7f90d3c8515883dc0

SHA512
e40dd30a1019b153aa02b26beea9066d6594e649bc555825ab7115ceaf59f147e5b9f62486c2ce0b3495b4b896116b14bc58592977c53beea2c58a08d21802fb

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
64KB

MD5
275b7b75821346ce4226989ddb93ad9f

SHA1
01404e43b9cf2a360c5ebf08a6e82efaaefa8feb

SHA256
7babe9227855b4229d303ff24ff5610dfc7d34202a4e528851f5c46d7363c690

SHA512
7fc3576f1b07fddc7101f8083082daec4adddb6cc86e2e655bf9601602f991d8c38e768cfd1298445947bf3765495c6812fd3ca22ac9a2ae9f42b5596033facd

Download Submit
\Windows\SysWOW64\Onecbg32.exe

Filesize
64KB

MD5
52104581cee359fd57bf298852f388c1

SHA1
dca67696a6c9fb3af3064482ec7e6cd8203a389c

SHA256
54bcb5dcad2973d7f9d9c750008823c67e4dd28f9b1211f968d93b86a2d3f0d0

SHA512
574816cb54947fd9787d4b4eb5f00ee9010bdc6c5e01d3bc05b3e58910fecef645a8f121300e5031d921e61c85ef73b4057bb20c4daba56c9f43b067d3d9d00b

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
64KB

MD5
e8ce98d74c9f2bce1d2024e341f6e6fc

SHA1
dae75451eb7a3cb464b6c55d607a36cff49b3505

SHA256
f98e5317de32806f04dc6d2eecbd421d75d14314a046ca55c922b022be5c4a40

SHA512
9a044eee1250c6835dde92d1eb99b77ba65d072bf25b2bb69df32a16fa13b4b54771023be8bdb17b56f6aa0745b347cd6989e5d5dd630e33315b10a0830680ca

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
64KB

MD5
ff04f2109be38554a8e3caf95e3fd463

SHA1
887bb0e578aae6f04a71e1bfae5861b19b057803

SHA256
b86539708b5ca8d8b9f65f56eb03e1e13b9595778579a84b706bdf1662a9c3b5

SHA512
64ac82549868f1606ca3b94e220a239e3a9bb5c788a7a5a5f1fcb37c649ebc341f44333fb5c5aa157d54d876fa7787f5c2cf071bd1f511a677a6327ad23cee01

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
64KB

MD5
18c84b33528176c352356adf63d25b35

SHA1
f0289f7c94dda974f30b590d623f125426787275

SHA256
e5951ef12ed4944a325a470698468c789a8eff088a228693cf22ccf814bf8690

SHA512
1452dcc0ef51b1ae467c6e15c274ddf63f16607278e006082d01c4d8d9b6938c6087ed6ed777aa5092d5518aeadf83f8bd0d2ccd002c02d7326f88383e39ed6f

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
64KB

MD5
e6d16e6abd56f95afab63861391550e7

SHA1
b266cd430942f9f2ace3285858620c59b8baaaee

SHA256
55f9b6e7aeba9de7ca0dc0a1c93ec859148b3ab0466ea9d4f32a2120fe740fb3

SHA512
6061e2966ac1ba391b155373bb91b3292f2a6fb67a0d49d00e67b36de554b3f37490b926c480b0f0779225bc6858817f96f480405b266c865dbe4f8672ca379e

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
64KB

MD5
77d7dcd4ea851c4ac6147abb9bccf7f9

SHA1
3d97db6b8c0eac4bf2ebf064553ae4cd76be338c

SHA256
fec4dcad1e9837901e745781be730001a9c14b9d4efdce80aaf2960b8364db38

SHA512
d461a6b79a4c40d03ea00eacaf30baac43a1ff911d171e915ee164d493e49a2d9cb00296c1ce196130d74a5c0af2c2903c82a8d4ec0c57acd1c68d845591a8ad

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
64KB

MD5
461f49c57e3b9d5da50064b6f094def8

SHA1
3555b2d979c06e8d4f76296acdf67314a9ae52f8

SHA256
d354c3b8970d315e2f287cbeb573639670270d152f47670f35bf589ab85c368b

SHA512
929e0954eefcd6ffe821a44cbc8f4916d304a6743bada10db824ce97775ded0e92414d71308e360951c7074c5babd9820d287b318dc5d62d6c755f3529584129

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
64KB

MD5
4577c3a33fc02c5fb905aff77de5095c

SHA1
08bca0ab6dda8b26ea8a9b7dd94ad52b044eb299

SHA256
05f420d62351ecb1d830367ed674739255b0858fd4ac1b025ec5646a1a264b48

SHA512
0d9d5e37df1e3577da9269c615d0a5880939325dc2995aa2b4227b3620b6eadf8370315194e39cd1c9747f1d6b4098da451def8ef4ec93a6b16ee10c2a3e0739

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
64KB

MD5
eb7692c20e8e35302f4fe91dea9b10f2

SHA1
c67cc52a857c28a4d64cedda2db207bde4c77e75

SHA256
ef8ec7014b09f9f713d9c7bbfda0d3c511ed8340a3da56e53c1320411ed2e2c7

SHA512
635f096f26ee3e64559b722802d2a0393152f5056e76c8b88795a0f6eca1b282943b6a63f4b286ccdea3b0f6a1dab21c9f94ad15441e0f6085d9c910621d448f

Download Submit
memory/400-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-113-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/476-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-405-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/816-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1000-514-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1000-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-467-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1080-472-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1108-487-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1108-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-438-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1160-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-259-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1352-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-238-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1376-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-87-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1480-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-303-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1548-307-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1556-313-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1556-317-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1612-448-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1612-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-506-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1956-505-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1956-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-394-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1992-285-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1992-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-460-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2008-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-427-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2084-101-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2172-220-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2172-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-194-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2176-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-278-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2196-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-494-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2356-493-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2356-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-294-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2596-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-349-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2644-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-350-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2664-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-60-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2664-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-51-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2700-383-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2700-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-327-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2756-328-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2756-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-167-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2768-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-34-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2812-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-17-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2840-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-361-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2892-362-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2896-339-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2896-338-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2896-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-416-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2956-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-127-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2968-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-382-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2980-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-140-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/3008-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads