berbew | e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
Size

80KB
MD5

b90b26a7f183c6ad0da58cce4095e393
SHA1

c5c994b3a88f2b75a77bde58ad78981571c6abed
SHA256

e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db
SHA512

80e956b96cc7fa4dca9b737379f9201eb2c4d63f4afb97bf8b97f6822cb2eb2ae26430d4e17685a0adf550e786db84fcc47a7a1a684c68ef87f746686ad3cbd5
SSDEEP

1536:5NrqF388uagwJG05F+8W2LUeyJ9VqDlzVxyh+CbxMa:rWdo05blyJ9IDlRxyhTbz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmpooah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nefdpjkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfjnpgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhknaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgedmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oadkej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddlkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbcoio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmpdlac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opihgfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcofio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmpdlac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnbhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplimbka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmicfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplimbka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oadkej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqnifg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opihgfop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
540	Lcofio32.exe
2040	Lhknaf32.exe
1820	Lgqkbb32.exe
2984	Lddlkg32.exe
2008	Mnmpdlac.exe
2588	Mgedmb32.exe
2564	Mqnifg32.exe
2376	Mjfnomde.exe
2784	Mcnbhb32.exe
1252	Mmgfqh32.exe
2452	Mbcoio32.exe
1704	Mmicfh32.exe
1352	Nfahomfd.exe
304	Nmkplgnq.exe
2228	Nefdpjkl.exe
448	Nplimbka.exe
1124	Nidmfh32.exe
1028	Njfjnpgp.exe
604	Nhjjgd32.exe
2204	Njhfcp32.exe
1672	Njjcip32.exe
2380	Oadkej32.exe
1732	Ojmpooah.exe
1164	Opihgfop.exe
2460	Odgamdef.exe
924	Oidiekdn.exe
2644	Oekjjl32.exe
2840	Opqoge32.exe
2760	Piicpk32.exe
2144	Plgolf32.exe
1660	Phnpagdp.exe
3064	Pohhna32.exe
1520	Phqmgg32.exe
1708	Pgcmbcih.exe
2620	Paknelgk.exe
2804	Pdjjag32.exe
1448	Qcogbdkg.exe
2952	Qkfocaki.exe
3056	Alihaioe.exe
2124	Apedah32.exe
1692	Agolnbok.exe
1344	Ajmijmnn.exe
1032	Aakjdo32.exe
2488	Adifpk32.exe
2740	Abmgjo32.exe
1224	Aficjnpm.exe
2360	Akfkbd32.exe
1568	Andgop32.exe
2316	Abpcooea.exe
2320	Aqbdkk32.exe
2748	Adnpkjde.exe
2844	Bgllgedi.exe
2544	Bkhhhd32.exe
2912	Bbbpenco.exe
2248	Bdqlajbb.exe
2800	Bniajoic.exe
2348	Bmlael32.exe
2168	Bceibfgj.exe
1160	Bjpaop32.exe
2120	Bmnnkl32.exe
3044	Boljgg32.exe
1872	Bffbdadk.exe
1788	Bjbndpmd.exe
1624	Bieopm32.exe

Loads dropped DLL 64 IoCs

pid	Process
2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
540	Lcofio32.exe
540	Lcofio32.exe
2040	Lhknaf32.exe
2040	Lhknaf32.exe
1820	Lgqkbb32.exe
1820	Lgqkbb32.exe
2984	Lddlkg32.exe
2984	Lddlkg32.exe
2008	Mnmpdlac.exe
2008	Mnmpdlac.exe
2588	Mgedmb32.exe
2588	Mgedmb32.exe
2564	Mqnifg32.exe
2564	Mqnifg32.exe
2376	Mjfnomde.exe
2376	Mjfnomde.exe
2784	Mcnbhb32.exe
2784	Mcnbhb32.exe
1252	Mmgfqh32.exe
1252	Mmgfqh32.exe
2452	Mbcoio32.exe
2452	Mbcoio32.exe
1704	Mmicfh32.exe
1704	Mmicfh32.exe
1352	Nfahomfd.exe
1352	Nfahomfd.exe
304	Nmkplgnq.exe
304	Nmkplgnq.exe
2228	Nefdpjkl.exe
2228	Nefdpjkl.exe
448	Nplimbka.exe
448	Nplimbka.exe
1124	Nidmfh32.exe
1124	Nidmfh32.exe
1028	Njfjnpgp.exe
1028	Njfjnpgp.exe
604	Nhjjgd32.exe
604	Nhjjgd32.exe
2204	Njhfcp32.exe
2204	Njhfcp32.exe
1672	Njjcip32.exe
1672	Njjcip32.exe
2380	Oadkej32.exe
2380	Oadkej32.exe
1732	Ojmpooah.exe
1732	Ojmpooah.exe
1164	Opihgfop.exe
1164	Opihgfop.exe
2460	Odgamdef.exe
2460	Odgamdef.exe
924	Oidiekdn.exe
924	Oidiekdn.exe
2644	Oekjjl32.exe
2644	Oekjjl32.exe
2840	Opqoge32.exe
2840	Opqoge32.exe
2760	Piicpk32.exe
2760	Piicpk32.exe
2144	Plgolf32.exe
2144	Plgolf32.exe
1660	Phnpagdp.exe
1660	Phnpagdp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Oadkej32.exe	Njjcip32.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cgknkqan.dll	Lcofio32.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjgd32.exe	Njfjnpgp.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Npbdcgjh.dll	Nidmfh32.exe
File created	C:\Windows\SysWOW64\Piicpk32.exe	Opqoge32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Mqnifg32.exe	Mgedmb32.exe
File created	C:\Windows\SysWOW64\Bpdokkbh.dll	Mqnifg32.exe
File created	C:\Windows\SysWOW64\Nlboaceh.dll	Oadkej32.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pgcmbcih.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Lgqkbb32.exe	Lhknaf32.exe
File created	C:\Windows\SysWOW64\Kagflkia.dll	Nmkplgnq.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Opihgfop.exe	Ojmpooah.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Plgolf32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Pohhna32.exe	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Mlbakl32.dll	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Oekjjl32.exe	Oidiekdn.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Lcofio32.exe	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
File created	C:\Windows\SysWOW64\Mjpbcokk.dll	Opihgfop.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Agolnbok.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pohbak32.dll	Mbcoio32.exe
File opened for modification	C:\Windows\SysWOW64\Ojmpooah.exe	Oadkej32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Mbcoio32.exe	Mmgfqh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	2308	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgedmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfjnpgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnifg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgamdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojmpooah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjcip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgqkbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbcoio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhfcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmpdlac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmicfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhknaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcofio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplimbka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddlkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfahomfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkplgnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piicpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbcoio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjpijfl.dll"	Lgqkbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opihgfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll"	Opqoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnbhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njfjnpgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlboaceh.dll"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqnifg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmgfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjcip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgedmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfahomfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddlkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpkl32.dll"	Mmgfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhknaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll"	Piicpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 540	2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe	31
PID 2480 wrote to memory of 540	2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe	31
PID 2480 wrote to memory of 540	2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe	31
PID 2480 wrote to memory of 540	2480	e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe	31
PID 540 wrote to memory of 2040	540	Lcofio32.exe	32
PID 540 wrote to memory of 2040	540	Lcofio32.exe	32
PID 540 wrote to memory of 2040	540	Lcofio32.exe	32
PID 540 wrote to memory of 2040	540	Lcofio32.exe	32
PID 2040 wrote to memory of 1820	2040	Lhknaf32.exe	33
PID 2040 wrote to memory of 1820	2040	Lhknaf32.exe	33
PID 2040 wrote to memory of 1820	2040	Lhknaf32.exe	33
PID 2040 wrote to memory of 1820	2040	Lhknaf32.exe	33
PID 1820 wrote to memory of 2984	1820	Lgqkbb32.exe	34
PID 1820 wrote to memory of 2984	1820	Lgqkbb32.exe	34
PID 1820 wrote to memory of 2984	1820	Lgqkbb32.exe	34
PID 1820 wrote to memory of 2984	1820	Lgqkbb32.exe	34
PID 2984 wrote to memory of 2008	2984	Lddlkg32.exe	35
PID 2984 wrote to memory of 2008	2984	Lddlkg32.exe	35
PID 2984 wrote to memory of 2008	2984	Lddlkg32.exe	35
PID 2984 wrote to memory of 2008	2984	Lddlkg32.exe	35
PID 2008 wrote to memory of 2588	2008	Mnmpdlac.exe	36
PID 2008 wrote to memory of 2588	2008	Mnmpdlac.exe	36
PID 2008 wrote to memory of 2588	2008	Mnmpdlac.exe	36
PID 2008 wrote to memory of 2588	2008	Mnmpdlac.exe	36
PID 2588 wrote to memory of 2564	2588	Mgedmb32.exe	37
PID 2588 wrote to memory of 2564	2588	Mgedmb32.exe	37
PID 2588 wrote to memory of 2564	2588	Mgedmb32.exe	37
PID 2588 wrote to memory of 2564	2588	Mgedmb32.exe	37
PID 2564 wrote to memory of 2376	2564	Mqnifg32.exe	38
PID 2564 wrote to memory of 2376	2564	Mqnifg32.exe	38
PID 2564 wrote to memory of 2376	2564	Mqnifg32.exe	38
PID 2564 wrote to memory of 2376	2564	Mqnifg32.exe	38
PID 2376 wrote to memory of 2784	2376	Mjfnomde.exe	39
PID 2376 wrote to memory of 2784	2376	Mjfnomde.exe	39
PID 2376 wrote to memory of 2784	2376	Mjfnomde.exe	39
PID 2376 wrote to memory of 2784	2376	Mjfnomde.exe	39
PID 2784 wrote to memory of 1252	2784	Mcnbhb32.exe	40
PID 2784 wrote to memory of 1252	2784	Mcnbhb32.exe	40
PID 2784 wrote to memory of 1252	2784	Mcnbhb32.exe	40
PID 2784 wrote to memory of 1252	2784	Mcnbhb32.exe	40
PID 1252 wrote to memory of 2452	1252	Mmgfqh32.exe	41
PID 1252 wrote to memory of 2452	1252	Mmgfqh32.exe	41
PID 1252 wrote to memory of 2452	1252	Mmgfqh32.exe	41
PID 1252 wrote to memory of 2452	1252	Mmgfqh32.exe	41
PID 2452 wrote to memory of 1704	2452	Mbcoio32.exe	42
PID 2452 wrote to memory of 1704	2452	Mbcoio32.exe	42
PID 2452 wrote to memory of 1704	2452	Mbcoio32.exe	42
PID 2452 wrote to memory of 1704	2452	Mbcoio32.exe	42
PID 1704 wrote to memory of 1352	1704	Mmicfh32.exe	43
PID 1704 wrote to memory of 1352	1704	Mmicfh32.exe	43
PID 1704 wrote to memory of 1352	1704	Mmicfh32.exe	43
PID 1704 wrote to memory of 1352	1704	Mmicfh32.exe	43
PID 1352 wrote to memory of 304	1352	Nfahomfd.exe	44
PID 1352 wrote to memory of 304	1352	Nfahomfd.exe	44
PID 1352 wrote to memory of 304	1352	Nfahomfd.exe	44
PID 1352 wrote to memory of 304	1352	Nfahomfd.exe	44
PID 304 wrote to memory of 2228	304	Nmkplgnq.exe	45
PID 304 wrote to memory of 2228	304	Nmkplgnq.exe	45
PID 304 wrote to memory of 2228	304	Nmkplgnq.exe	45
PID 304 wrote to memory of 2228	304	Nmkplgnq.exe	45
PID 2228 wrote to memory of 448	2228	Nefdpjkl.exe	46
PID 2228 wrote to memory of 448	2228	Nefdpjkl.exe	46
PID 2228 wrote to memory of 448	2228	Nefdpjkl.exe	46
PID 2228 wrote to memory of 448	2228	Nefdpjkl.exe	46

C:\Users\Admin\AppData\Local\Temp\e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe
"C:\Users\Admin\AppData\Local\Temp\e21f4334dcb1eb35aba8ed458f363ddf7cd8b727d1c0d8a2fa57abdb39c1c3db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\Lcofio32.exe
  C:\Windows\system32\Lcofio32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\Lhknaf32.exe
    C:\Windows\system32\Lhknaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\Lgqkbb32.exe
      C:\Windows\system32\Lgqkbb32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\SysWOW64\Lddlkg32.exe
        
        C:\Windows\system32\Lddlkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\SysWOW64\Mnmpdlac.exe
        
        C:\Windows\system32\Mnmpdlac.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Mgedmb32.exe
        
        C:\Windows\system32\Mgedmb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Mqnifg32.exe
        
        C:\Windows\system32\Mqnifg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Mjfnomde.exe
        
        C:\Windows\system32\Mjfnomde.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mcnbhb32.exe
        
        C:\Windows\system32\Mcnbhb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mmgfqh32.exe
        
        C:\Windows\system32\Mmgfqh32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Mbcoio32.exe
        
        C:\Windows\system32\Mbcoio32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Mmicfh32.exe
        
        C:\Windows\system32\Mmicfh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Nfahomfd.exe
        
        C:\Windows\system32\Nfahomfd.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Nmkplgnq.exe
        
        C:\Windows\system32\Nmkplgnq.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\Nefdpjkl.exe
        
        C:\Windows\system32\Nefdpjkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Nplimbka.exe
        
        C:\Windows\system32\Nplimbka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Nidmfh32.exe
        
        C:\Windows\system32\Nidmfh32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Njfjnpgp.exe
        
        C:\Windows\system32\Njfjnpgp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nhjjgd32.exe
        
        C:\Windows\system32\Nhjjgd32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Njhfcp32.exe
        
        C:\Windows\system32\Njhfcp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Njjcip32.exe
        
        C:\Windows\system32\Njjcip32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ojmpooah.exe
        
        C:\Windows\system32\Ojmpooah.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Opihgfop.exe
        
        C:\Windows\system32\Opihgfop.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Oekjjl32.exe
        
        C:\Windows\system32\Oekjjl32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Opqoge32.exe
        
        C:\Windows\system32\Opqoge32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Piicpk32.exe
        
        C:\Windows\system32\Piicpk32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Plgolf32.exe
        
        C:\Windows\system32\Plgolf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1876
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2080
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        75⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        81⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 144
        89⤵
        Program crash
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
80KB

MD5
9160f542bd19478f2a7350f9a1d77c19

SHA1
59d691f30b907911c0f3ba4075fcb62d211caf83

SHA256
ad120e322357b903b25488bad5b076c6ad442bee8f6f6835cacb3631ccc2ea6c

SHA512
39d59f12e55d324d87d83dff9cdf0d7e8d772294a5d8a503aeca0f6d0234534e3e5e54a969e13ef369ba3b351367b5d4163a43251f03412fbf6a5c3b259820c8

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
80KB

MD5
a807b8867a3952313cb260b235e5e4e3

SHA1
025d43b83b643ef66a4e3d9926f6218f87dc161e

SHA256
2b85503755ea3243740e866f205d97abe273ea8b5c9af644dcd5f05180e979cc

SHA512
611e32dd9e904c33c1c8a4c2eb949c344d1cf15e00299640265eff5d4c217c298d5b03cbad250cf0dadaa436bd8e1fc5ef7386d722c75f1da21a5edf004ad426

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
80KB

MD5
259553d8b7ac5e2446c1c0713238b4cb

SHA1
d7ad006f1a46e626073d715018c1e6293c578276

SHA256
5f88ae1eb67c935ad6c5bdf0c5a26200120eea1e06801cb7d0dcd43f894995e6

SHA512
f834431462b470cf1c1dc18a6fbd21be4a415edcfccdce9469936618affdf89d5f4b6a40caed0574e5cf963f07c8ec9d6499800abad1cfdfdc2d702ea2db1246

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
80KB

MD5
6bff31ee02b91dd759e7f23ed6e6081c

SHA1
c7ddc104c6b64373b5dcb2c961fa049b7e5536fc

SHA256
5619dcb54ef69495eb629f9dcdb371199c34545bfa235d2ca3483d83c67d3c81

SHA512
1992b031550f9cdab345c1aa359162d314247a77b57a54a45f606d2b6c3255f2824e2a23a7a86e21799f93caaca5b2aa61090960681d68da63b95727e1d2e2a3

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
80KB

MD5
28bbd9c82989c4b844b1ddaba19f95c0

SHA1
67e69ca6aca4c0193c9cb67196d7bc632aea9dae

SHA256
f843c0aef5f2c3c9450243084a4acd949ba6c908307bcba7ee84ea970ca63114

SHA512
c4b740178c350664ad41f6c4796cb65795dce12dc032da677411d634af1d931d7f80722ef580c4ceb2df9d96b1868ed1ed6ebbeee24d608877037aa0493cea7b

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
80KB

MD5
72d93988e5cfe335dd1f95bfd0464f55

SHA1
dd30db288e30457b6bb37aab86df0ecb057117f7

SHA256
b920b3124ea0182d1d58409edfb55406ac9bec4bb169625c2ba4eb96051d7d80

SHA512
ab53387a75a8d9becb56b11c7129b1616db8be2e16e7078c838820bd7f6314af689631b2c96d1bdf1be1cbe211bb7bc8eff9898c7848dad8a901af728284f5e0

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
80KB

MD5
7c569f0fc18cc306dd3da0b0fb43133d

SHA1
04a917b3e8ebd47358dee94485f9fcfd3d32f4b8

SHA256
d97b9724542d43e79406fd989b4fb9f52b99ee793389485cb01b186c619822c2

SHA512
5e4bef8190517e2042e2be7dd0934eb4cd12f69b0df065f60ea5e9a092f2223a91cdb4c3cdc64100cfcddcd841fe2e463e1ff9947342ea906d6981da5540d8a0

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
80KB

MD5
1b6f98a492837eca6fe67a4c2bf03cc3

SHA1
e0064025ad045b7fe018ffb984cc0fd4ec5ff7fd

SHA256
1d0af01d6cc94c1a669cf1f876a3a1289c03e6907be33d20e11606967c4a8b59

SHA512
353b6f4b797ae0030fdf26546b7852c85a5b5bdbdde792b68f6111314714c90fe29fdde966e88cc544594b9c301d5df1a5174bf0c87f32d7399f0a53db15d97b

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
80KB

MD5
4341ab19c4f1e9dca30263bc6fdfca27

SHA1
7059ca8e4c9d0029c419099aa45087dccf964f69

SHA256
856c583cd92d8b9494ce9bb1289c426212fcbd9a851b52acef25f9791ff1af71

SHA512
064c63ad3f2d0843ddbcd2ab0af118e668baa5ba3b29d3d0305e613891bbf53d4758de3fa7521aa3bc20563ea66f308dede3bc1fe2fb263df6eba614d47ea2ec

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
80KB

MD5
69c21d5daf96807797c51b44e3a02c0a

SHA1
5a5cdb9f1b27f9cdf6b6e3b721d32961c8a0975a

SHA256
47eed869a065addf2f8e5e9e2f9de5176ec5c3af62b841c6cd45cba376b8b3ce

SHA512
c7d4d8cb6450b8fe234c3abb56d92c0bc7c1fcd659dc3aa9d7d667c7fac3d4b5fd35b4320322d399896988173c2b53fc1a2290f04ddbff4be97b57c200b653cd

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
80KB

MD5
d2da885f2cff0a4d0bb4e326b5c8324a

SHA1
0761590c5ae822e1e5b0b944b7cb5ace83ed96e4

SHA256
b310519536c9f2623d69cdaa09802dc44d2ae400ba69fd59afe34e78db0f6018

SHA512
d66cc1491355c7c71a2214966f4413438d64f799049626f4784f431a291af930173d6467785ce1e8be383636f798e389108284808a4982514a263432470ae2a7

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
80KB

MD5
a19ce37c27d063af625c7046d43c254b

SHA1
963af0b7493dd562981de7303718f3648c7cffa6

SHA256
a490edcb9533393d1df57d0022883b5779a4dbc7c6dc9f9bdb90e6de502a541e

SHA512
f3aa09220aa5789256886e2d7337a80dc6e291e1cd562de6a0f1d6c00e1b79081efd4cc52c3456827b7125c21d4a899872791f96ccf4d19ec862c432fc59ba30

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
80KB

MD5
06869de6de025bf825fbf761f704efd4

SHA1
f8cd185057124e5539cef80ef151a1e699a6a55e

SHA256
abc3ff683e4a50dd30235499f43c2c03f92f8df88d88045bf440d2e8fab8f13b

SHA512
495c8e8173ddcaa96d227ba676cbc2dd4168bace22c777e0014038b1b701b031875db83c506923e71ca69d8eea5eb5bea2509daea25106473ceac1f50f07dc00

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
80KB

MD5
cb2fa7388e129948fce2b5819f2a0ac7

SHA1
7a906037ed6dec8df6bc66f17d4740854304ea3c

SHA256
ccb16cbdc593ddcfddf722091cf943addf1ab160202810a8056143608bbae7ad

SHA512
8abb452ab11ae48d5bbc069eab7fb26e2327ccff81373a2b875b4bd6a745b72a9f08a7573c066b1b34a44995d4ca97a5bd574507e8c21bf8cda83bb300808347

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
80KB

MD5
68c0f0b94b20a03dfd0fe1f32de73391

SHA1
3c4b4310871c73969a1c15b7e6ca0edf74ec8c2c

SHA256
78ebdae2a8bf069f258535c0842f5d6eb912c32aaa7300f8019fb78fca48a34f

SHA512
f4b41528bc66845159eb050cb1b22e29448d708d95845beff25f991715d9e85b9d26ea364d4f5afbd84594e1da308117ddf8bccf6b3e48f56999218815ae5559

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
80KB

MD5
be7a81d5fcaf41186ea5c1f813796f49

SHA1
a473cfc495b6a31c97fc1a3162a0719bec6824d1

SHA256
fc1034b327a1204614a578434305e6c6a7c5e3e9e7e0816aef4c7f6c85fec3db

SHA512
ae759c0f88e7caf1f7e03f0a958d4964b7587f053a211d4492dfc45c4637174189f93fe175841c96768ce978e088c021b1344ddc44d3737edfddfb0e10350e0d

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
80KB

MD5
58d30cebda8801dd53c942ea67231072

SHA1
2d18d566aa2ce16eb1bcc194e4622b617d5ca673

SHA256
90206701dce3d440e2aacfdb67f1d72c7160150fdabcfe10390297e0c9448804

SHA512
51fa762b54a60aeded1a1c6111ab543eee909489fb0c1dfa8fd0fd4fb7b489c9757415e778ea081b78f7316f597a6ffe09b44326baaf4b1eb5b07a61c4a501b2

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
80KB

MD5
c6a60ec241e42c0d2d554f730f985c02

SHA1
e5b50d513bf6662af6cd6d6d090770c834d0a778

SHA256
aa1e45ed177d317a0a5a1510eb8058d514e4b1228a8c0d5ab189ddf369ca3830

SHA512
225aa056e08f85d05915add2042eb76568ace20e232178d5805b88f4fe449a8fb56601cfddf16d92008f9a4c2dac5ebd73f47b458497fb0c79373553d534f570

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
80KB

MD5
628005369c10f0aba7f2efe4615783f3

SHA1
91d72a82faa6e602fb526b1ed817be817edbe593

SHA256
05df03d44fcc326a7778eeb1f516a3cfb20367369d2b7e8fd3a9ecdc1bffb665

SHA512
95f2449aa33e4dc10c87ca5f7b4d07b9672d8285ba3ba919a709d183757c242e7611e594ef996781ae4c99c752c24e86dc64fc6a3d3e0c95dd011af39c7d6ba4

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
80KB

MD5
57147b53dd940ead43e4cf5633cc01a9

SHA1
7917cabb802d086241bc20bcfcaaf7d5211e4598

SHA256
80bea06cbee5361168572bf35f90c72c336bc5d7e9f24ded3f027b8c893ab72c

SHA512
06ed8f0b34404cc9ae29408b41de694500a889b34b4dbe427c8ebb97e74769a9ef44e45bf2aea6c5526749f5df7249ec24fbd0e94224bf82fb7c7e6cb4dbc113

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
80KB

MD5
ec5e307c6d7a7e5cf9007bab59f35aca

SHA1
f2aecf9a2951004513fa1ed5f00ace46296de0da

SHA256
ec387785e398006c64e7813cd809dbbbb2a4df4a6a205e3b0d0882bca890332e

SHA512
ea41440d404ef8bd3a26075f0d36ed913eed9a7fa047b452851a5b301d355cc64bdd5b0be561582b01b9c2b8348cc90065e5629fdb7733e6959228c14e84d300

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
80KB

MD5
986ae032b8b9b65cf94858c13e84dd67

SHA1
996fb69e7991f84ac601ca590c9d3e4a94253c89

SHA256
e213664799f2b16e3e6e817ef7821b8cf9ecad41771caedb729f808184cb49df

SHA512
543c9cbfe2efd2282cc6ad43859adab501f506f1e41656fcd5cb02dbddb99407678a8632d4cd9c0544e26b054a40e074ac9b12154277a6444834ef29b9084b62

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
80KB

MD5
7d978a357cef03b4a399678e9ae44779

SHA1
062d5d967cbd134c488875513172d44d3cde894e

SHA256
591b6984874a3f2407cae2271974e6ec241e7c565b6ee8c44719719084b7117a

SHA512
aad2df23efb2c36fff7d779fbead649ba72b10a1a4b5a4627d8eec6ef36ea21d0ed6a80d094abb8dd3d246c358994523fc8708f880da2bd316bb592d80702d6b

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
80KB

MD5
c258cdcdc07e3897ebfbe609dd28ace1

SHA1
00dcb574621cc7353134498b78e1e90b07be817c

SHA256
432c0acf61c133f796fe80d24bbc9612dce7404814cf561030ecdaadfdcc205a

SHA512
50910e05c3e48341a8ecb1d493bea74aa5f99352e1d4c3db7be72e223695981266cb6dd5a5f22f6dce8b494c90270fbfef28c9e27e70a016d9e741b5342a7c4e

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
80KB

MD5
0bb12a0b04a2e821fb3e938109bb4772

SHA1
b0e72e1f879897017982220d0ee7e15a6e8a9396

SHA256
2b0f8cf92296f0201786d1921ece6e4c24107b08a9236698ddfdc8dff286a9f0

SHA512
26ce26781623a54e327860da3f34523c856917687b5607649fbf33f93fc369962a1ae434a4fb282cc550823a99c7e43ff41ff2d009fc0bae4206bb56faea79e9

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
80KB

MD5
a753279264f45245f1e2985d4b69b8d5

SHA1
b078bbed3d1337797294dd0a52ef1aadbbf47af3

SHA256
1b29aadeb8e85e60e97712dd63fa55ed0021e68f6f5ff6c7077d315e4ae17c7a

SHA512
3008691c53c01c9de07b5617b6b72299ea8fa3be044a0069db1776073e51a1e4c342e396aa0440adb3bd6cb28f48064189e8f685ced49d6cc886aa2947c49ead

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
80KB

MD5
c5f414e8ed7fde7fa5d3804e715fe70e

SHA1
f8087610b415d714ab31dc30ecda0b93f84da560

SHA256
d6200fd622eb313201766c76b17d6ff29bf89ab24c6398cd16514833b5b28218

SHA512
394836cbcdd5831640cdb13e64810e98c5a73758f4b3c05c639a03beef22cc42287dfc8553842a7b2d9507afbc989a6ac6c54b6c4a595634d58acde925aa2b12

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
80KB

MD5
4b13b3fa8ae912a9afbe8f6ae1a62002

SHA1
c2385ddc235644d57fc8b4c106c4c16262a9d168

SHA256
d2045233d0dfd0c0e0b9c4d6e880cc18c17d8d82740378d23f0aa8496565eb52

SHA512
03ff87e4118e12e5aafa2b2560efc39cd3ee6c48bdfccaddd590f7f386d860ae463b8c15a25289d715028631e5364a7b2fbe4d1a1228658c510c2c08c5175d7c

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
80KB

MD5
9dc63aad6c463e337a467fbb42d1f6c4

SHA1
4d5802d7e5fa98b7f6c0b75142b1de685b127ba5

SHA256
73d779851632760f7d6ba110ad0e5a063c187a3013c633ff4da975bde26caaef

SHA512
a084e9c297f62a9df2035b979aba196129da8999f47930fa87125d7bae27234804783f109c5a8c9d8e06b43c46ba896205ef2c82eece782f5f1b4cc8f976e3e6

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
80KB

MD5
a395d7f55287a706615e14669eff62cd

SHA1
9c1dba21b3dd985d8f574fd09a31dc7704c856c0

SHA256
a25dff90e7eeb860c909ee6976c7b3f78802e43b8630ecf97cffe38cc1d476ef

SHA512
31cc83b4676017232113845c158578906052b681c973dee60c87e46fd47705891d97f7a2a451e0a51719cd11b523bd24db3f0ba495daa27385e672dbb50a83f0

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
80KB

MD5
e0d4f3562b7e62ee3da75f343e47858a

SHA1
ac658d1efcd6b5af29d28a68e1e4c3b4a6bdd625

SHA256
713728902c54f5ef81feb659fbd57681a5e941a79a78cae5cc1169070c8f5a13

SHA512
00e832f52bf4e48468c6d0704380b9f96342bc4d0e68158e872c12afccd698e8b3ee4f25af211d4855f4252e4016cfc341c7064751ea607fdac400ec7c71f085

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
80KB

MD5
8689b91a8eff4d0fe0cfe6fb3e70c2a8

SHA1
154cd7792e3e629c5f38ae2659b4daddb5351a97

SHA256
bb55fc7d9542b795cf873125939a974eeca61de1ec065f07de68c473a6a05c62

SHA512
84bb87e5c4ab292b5dcb80dcb42dda3b397a588534809867b331518fb4eba4aa3977dc37a1500a0fff07eab4a7dfa1e80b0ce9e0f7c027ff73a24a16af82c359

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
80KB

MD5
e96595d819da942f0f9fcbf3c99aaeef

SHA1
3134c3ae2cfdfd29027fab6c88b520c39df32c5e

SHA256
70f236e8324c215869dab7ead466fd075071cfe314612267e3e9641945542336

SHA512
61645f8cdd0de0a98e64730f72267f59e51fd77188f8528ed77209cebfe809e10805a9125e0b09b953baa2af3421a31d2616d038250c463cb16d969ceef95503

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
80KB

MD5
153c16b279aaa26d5aefbb05876cf479

SHA1
cf36d75f43de0883f462d39eba3f25f57db43028

SHA256
017f45227247bf4150c35d7331bd90b949e3751f134505889ac069bd1035632e

SHA512
61a7848821eeba3c6b8191f57c2e57ec88f3978246196660088289c9ed2d1169aa542246f7699cb257cceb8e01a9293637f96e15237880c20a8c851c0309c96a

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
80KB

MD5
7ac90506be2965674f4024196ee6a873

SHA1
d62e99b159ba4dcb858dbe87e9affd3c14e4b221

SHA256
67975598fee71d92c3fdc6b23ed29ee0515028d7452345f934076793b102a7c2

SHA512
cd299b6e4f691aac62573de8643bc9b26ad50782d7e42007e7c05c1df2dc18b90e7cae8e5b8a3a7539545c80375265e81d3ca43a593f2d89072f0c7613281a68

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
80KB

MD5
95809c808691522662e66d7781b6d6fe

SHA1
cce8715c9df6f139c67350292833362dd2befc88

SHA256
3b16be30312470282d1465ca284713e8a97bc70382022f1ffe804c86b1eb156f

SHA512
eae02b49c3494cb597f44bde2a36a8ebd655f8c7867d8c8b1bf61a571856842e86be681dfb4c4067ecab22be305ed9d39369143c639956e850d9cc5b83c08840

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
80KB

MD5
80cffb3ad408f2965cc1f702540c0416

SHA1
357d95071d13d759f6c720d5a3c23fea4ae9dcba

SHA256
c040afcefe4b30694dcb0b42c417d98846299399d339b956714cd1f01b5134d0

SHA512
3737481c6ce910629c1a7e1fea68ca69baebd1bb5d06c526826d39cc0fc293fce684c17b1fa25d5bea5b03ab0f1ad3899f6df9b3db38aa6a9f452e52cf2235bf

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
80KB

MD5
0683553aa2c8ab78f27bcb9b8309f556

SHA1
c2c617a331817f15935e866a87267abc419f542f

SHA256
3ce9e7db64015d536f64077c56d13fa476347f5f13fc988cfdb725f2f88bc26f

SHA512
066c66b4f5ce3741cf24477c9b8e46c854a33f53322e071c95eb0e6541957b8800a0ab608f1befa70d3d43c685c69e324cb88a54efa9766f7933bdff32cbb37b

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
80KB

MD5
d3abbbf3c98a722ed7f86415b4f646ce

SHA1
820b7c5f31003e4841af356493343cfbba3c0dd1

SHA256
13e6c9ea8595e78b57698cbef6a0ce5dfb0ceb5ddda3ff64782c09fb27afa1d0

SHA512
1577a2b9b4fd90304a0fd4797a0771ade098066766e282f9ccfe25113485edc066a0580aea1764a3d9ddec4da7d01c29f56b9d669d222e1db28c38881fa1864d

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
80KB

MD5
2281bd94822c84d245fc72c3bb31ab2e

SHA1
deb1fd516de7ce4fc71e11f7d4a57c818d085f54

SHA256
6f8e2ef4df74c59df49c92c81ca6ec196ffe35be0be8a2288acf7a55146fcc19

SHA512
b6c2a626ad774561434dd196b36f6f269514e0f66baa52e149c53352fc5458c9190f83c4d1f75dcea647f1b290ba04eed8fd1594fadd6bf90baf31b119a058f4

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
80KB

MD5
078f0aecb84759ebd16d12b9f6e87460

SHA1
243ba04ae3e45ee7ab6c0b5bf7c9e0fc24c8ae1f

SHA256
8411af18a5dfd433f50c571df5329a10f2096c61239f39b49b33ef0befb60f70

SHA512
ec142ee84259b3a21fcb0500a9101ece255186184cd22a038fc7f5da3bd0d86cd8a487a7c0983b794878ea07cd0414a26f288faba5347a804feab6b7e704ba94

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
80KB

MD5
5128416d855186ca77eac97569f286b9

SHA1
dea6504050307050fc8b019e0938b9e756dbf84b

SHA256
a2b82738e915ab20f97c98830f28632914309e13c1e578636222c2738d802399

SHA512
5daefa992dae39f65428223c8fbdbd087fbf20d9046d39a4b89dabdb850caea70fee3c5c0a5300dea4a6f315099aaa26d17b809be450dd8f8f4e3763775f39a4

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
80KB

MD5
cb062249af710b287ab95cdb08979735

SHA1
aa219e6d3b17b2f1a0d626edd0bd89fa6863d077

SHA256
f15cd1f3be7f6d79fa250f50cc5f3844a6edfd46ae90a778f398e5d296a61cb4

SHA512
9adb982c5a966c21933a82053ab6881c402cf0721f53e1aa29d452d90a864a94a15831f28e08077c1fd9387a1f2692a797536043e51591dfccc8d91f76d160fc

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
80KB

MD5
cf671d0c5487d6786404a17c0349db16

SHA1
105594f6a9e2c30c55e2c4f652d4221fd9cd4517

SHA256
38f8a0d16eacb44375cc469bb5ab189fefb7d4d8bad2f3934a44ae34c1b59ee6

SHA512
45a7368dbcfefa594061fe7ec1eaba03b71359ddaf8c90af18d950e0731ce65a90f91ced42440c2516365343f6eb0fc338d794bee96279427081eab43ed204b6

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
80KB

MD5
b26f623ee8a9179c24522186fa535a43

SHA1
0bd2b23fe11d1b3e1b8f18ce7e59fab8f7d7eda4

SHA256
3823056683d359542afe4aa9b30cc9e715bbddb26d291584c822a8a027dcde8a

SHA512
d5345481150ff34fe5d3411754bc942049d431c7d7355c8202dfb3eb65b06f34a9ea7e06d80eedc055bfe24a69d4a065683273c1bb2c3115b5bdef62ad8ced27

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
80KB

MD5
6ed1e2a519d194922b1c20f3f10ce309

SHA1
48b4163074d6b80cc36979095b1154440ff2ed7b

SHA256
56f28501afe9842e70c9a1188797837f4063cf6afc1460d4c507863a7f105787

SHA512
da161e1a90df52a1fb93034e79d645452aaa5541d483dc825c0edf9288062a3e879cc48aac3dd27f4186da578b20ea420c5129501df354e97edfc70d59bf42ac

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
80KB

MD5
1379bb88350af085bb54dcc88c01f16f

SHA1
4b802d5fc4543cfd4d9dade8118c2b32ea6c106a

SHA256
4292dedd15eaf258175e2d4325e170eea51c132052412776dff2a0465d54496a

SHA512
355ee2624def7c845eb58a798cfd7132ed91d91cd071ab055f791d2229958dec76ee1d05c550a91f2f0930c9e091aaeebadc99ee8af7a73ef730a60c1e608a02

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
80KB

MD5
95799e14939de0d93162b5a5a24fb543

SHA1
65c4b72e161c73f58e0676b5bffbb995cbee1fb2

SHA256
3296c0ef2cba5026004fb3b696f100b2ffea77a44120dca542cf92795402ecdf

SHA512
769730e92a20ef400d6dc37f1a19f7ffeb7ebf6417b17aa78d5d73d58ac81c7e40afd83712f4e3e71cbb83cf0a7e77e6755c8d23ca1b66f5994b48ac21a265e1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
80KB

MD5
a057e5d731313cb7c1b7ec2df0063627

SHA1
e1e3195b7f5b53eac38d1e5285836dd7a2bc5153

SHA256
8151330ad18ab09ad9c23e9c064529ff3654e442797bbd12c506b2a673dfbc48

SHA512
ddcfe76fb75e7b203c28b615d28893e77e3ab87ceb906ac154e5bff8db98cd8e9f391678e4577f2fe14ae51fc91ec0a4585810035348048a1e29ee464cac87d8

Download Submit
C:\Windows\SysWOW64\Lddlkg32.exe

Filesize
80KB

MD5
990a0b3cb839e327280ca7e9e822001b

SHA1
8f828b1699f90e43d4fdbb1611a465cdae13c17b

SHA256
5e6bbb3e7384e1ccdd687e7cfd7eab20d0b41841bbcaad4d94d20e537cb20197

SHA512
8006dc3e80aa830a695f89b4ccb90dc1d818857fc53b6cb0da3c33f09cdf4acfdfbf0df22b46273c4b20ec80ade70b50a9fffd072d7425f9726d2092e4964bba

Download Submit
C:\Windows\SysWOW64\Lhknaf32.exe

Filesize
80KB

MD5
1428ff0cd306303eadb5e60a27025d45

SHA1
23d889b63f462483c4bd2c9f1a0c78448342f3fa

SHA256
d1db526fffaca70e2d973a27ab5bd125918ecc9f4ac5afb148fc23a229fc27ec

SHA512
54cf6fd7048cf62a61195e7af60d5a11f801ce77473d2fe419c050a48629ccd707e6782a5bc2aac38b6dfc057a29cf280a5fdc259ef3e89953752d667d652bab

Download Submit
C:\Windows\SysWOW64\Mmgfqh32.exe

Filesize
80KB

MD5
c1f4b42fef05e8c47795aedec7caaa68

SHA1
76f6300a67b4e789e741fa0aa49e76a46635379e

SHA256
26a39140885541f155e207651c07bcd12ac77930a8092d45cbe04c1dcf9cd151

SHA512
4710bd4669f8b8128a6f36b188bed846238baead1a0c425395f8e1d7d1b8e72a762cff4e41ec13ab8936c15c01d98f9b0179852a70a0ec949aa46bfec90585c4

Download Submit
C:\Windows\SysWOW64\Mmicfh32.exe

Filesize
80KB

MD5
161db995b7f16a52c8f2246397cced69

SHA1
d0f0c8c056b11dc35505aee1dca8982eb902340d

SHA256
a57d041a1935192b0f8a1a7493d79dee9da5d904520e764cc7e1245b4fdfb79c

SHA512
c0abf508544ebdc5fa58ab47930c4b56b252e227ea31e8d570e3e7817c4746d97726ac52acdf245c98b0d79ab586ffdb83e1d03c43bea9994f71b047aacfde7f

Download Submit
C:\Windows\SysWOW64\Nhjjgd32.exe

Filesize
80KB

MD5
eee44e7d12b2bcda430c29fccadceaec

SHA1
1f50c9059c675fbbe13278a231a36a6f7d097515

SHA256
53fcf38e347e4025e2278b0baa4f5ea5d775e53c7ffc0ec12951ec33416d2794

SHA512
faf7740762064ff503d68aff47fd28e20ed046ea783e6c07ba7cfcf4062d4b04a4dfda481a296a48a77c7d349727fcc2d878cbcfbb628d5012c02d331650611b

Download Submit
C:\Windows\SysWOW64\Nidmfh32.exe

Filesize
80KB

MD5
26c14ef0441dd63aaa14b104794e666d

SHA1
e80bbc3f963e6e191dbf8c4f01de2e2c65cd89be

SHA256
f020735fa0c32e9fb6681869d6146c97abc439165dc0a402bc2cf36576f48bb6

SHA512
c818e5ab71f6228f5e7a80a765e40325d8d36edbe750d6fbaff1adc4b4ca8b108bc7843fe6803e6e0cc8dc856dba3a6aded13e667a1d5a9f7808526b3bd056a8

Download Submit
C:\Windows\SysWOW64\Njfjnpgp.exe

Filesize
80KB

MD5
9179ca18f54ed8217544bbcc83f37ee6

SHA1
036e8e04dd3d32ff65b024eefb957b4351070f17

SHA256
699317713a5778c104876c60fc953b46d767befa6c079d7ca2bc78d3ace97116

SHA512
a5f882db3159e952730aa0935e7602c9fab5ae008610ccd0c5630ba3def16a4be7ea4b056b83b4f806257763131a455155ecfcc9706f4b98cf66294bd258f844

Download Submit
C:\Windows\SysWOW64\Njhfcp32.exe

Filesize
80KB

MD5
fe2190fd236734b36cf787ddeb77af37

SHA1
85ae0fb2e378b86b33038bb62ed2bdaf6efaac8b

SHA256
a8d46c476e193de2b231f3dfeb62f793b703b729f5a1fc9e7a35df02a5984a74

SHA512
76aefa3546c004ebd7046be066da3f99f8fc4aea43cfd057cbd186d68e79d87a0849732e6404296ae9515bd231baf71c0234e80b9f0804c1dbe46db8076d88fd

Download Submit
C:\Windows\SysWOW64\Njjcip32.exe

Filesize
80KB

MD5
53d653156408f5f35fdbc97780a4b961

SHA1
6c0f26b6421087cd71003e557d95d83c1a319184

SHA256
191f98d2a8c86a8bfb0609287d57798cbb99b382988d76df9d0e02cf00412e36

SHA512
21d46f1acc0646f796e501869e1a60f86a9bff77f72ed5475ff1df8461b2841ee5305c4c95e22c75fb5a52c7ed2b33df2bdc5b07efede9441c2d135adef7e1f5

Download Submit
C:\Windows\SysWOW64\Nmkplgnq.exe

Filesize
80KB

MD5
8832020770b6d206fb58e585a38b232c

SHA1
179e79162ec56c40f52291a28f489853c1d128c1

SHA256
22e6851b48d7ffbfc8de7ab12324058ef6ca4de6262c6f640c88bc44290410a9

SHA512
58ec5192673b16497291d37b8defd9cd11459743127b51217dbcae553219c99f5ae8cb7baabe5b3db3282eecc9145013c2b19aff5da1c4c255668e367751c396

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
80KB

MD5
77597d334f333d4c490c338d2b7bc0be

SHA1
6914746e7c5e757e0a57ed408ed1a373ed13fcfe

SHA256
d9bb11b262efaf41974712d5d4218d6388f71b6b66b33fc7608c88237a0e21a1

SHA512
317eafe22e059b75bff084a73430d03fb97c6cf39ef20d7031afc42846cef0c372a1f7b211c8867802bce7afc4e826ab0f69c7223ef5c3ab0315c117b77f86c5

Download Submit
C:\Windows\SysWOW64\Oadkej32.exe

Filesize
80KB

MD5
cb04b8190e02684976cac6ded33e3a06

SHA1
88964f13f576af15835b08440bdc3c9e177e29dc

SHA256
f78d578a2af2049d732db338b2a9744628c721093de8cb4d45ade97cba3797f6

SHA512
366695d880d118eec233d70ddf2ae8cb9299bbfaeba97fc9d5bde05a4b16b8c00b1f35902502ebd847080ac0abe7ba0d08616537af673da6ac33f442216a4599

Download Submit
C:\Windows\SysWOW64\Odgamdef.exe

Filesize
80KB

MD5
2e7e693cb862a6ff7690c6100d3d4828

SHA1
03a40bba26c8f43b35a5b42a649b5dc4689902fb

SHA256
b1141b0086168177d58f8af4b26f30867cb5ebab5afb1abb152051981fa076f1

SHA512
8435acb6759f5505644be5e479dae2706e453b3b708dfb4a643f4d5c602ddb45887a5d77c714556db9490a796a2fea538ec56da7ff4843fe00a7affd2f1c40f9

Download Submit
C:\Windows\SysWOW64\Oekjjl32.exe

Filesize
80KB

MD5
8d5529ce8015ac6c9d6a959ee98308a1

SHA1
868d49d2b336ed391d8e19f49e17cf596b7f41e2

SHA256
c0f8303a23bc0b33db17002a9d65c06400ae15ae8a534daddb924b1a6d974daa

SHA512
abc910e82568e9e84823f27264349387c608ea1f7cc56b715c327d4b08f94c33ac0e469c7e27631ed8d3bab4fbae591e94634de0dec98aca2514d9eff4a9c5cc

Download Submit
C:\Windows\SysWOW64\Oidiekdn.exe

Filesize
80KB

MD5
a82b81c6e04cd681aad779623f6095ea

SHA1
4c259c66b125aaca15ad14ea5c6224b623b5a208

SHA256
a4da720555b1c2abb9e412ecdd795b1c4e2abcc780c800a72be985669b3244fd

SHA512
2597d376d80a3da6862ab01d4604fe718f566fd816841eb0a0281a2cb7a3517480aa7ed8eadd353495f7d27a2c9a507cb6e96126c85b051fc55a6431408dea22

Download Submit
C:\Windows\SysWOW64\Ojmpooah.exe

Filesize
80KB

MD5
e73f05b18e1713f1e6bf0b7898349c71

SHA1
11bbddefbdcfb55c470d43c9c2a04d94ce923cf3

SHA256
7b68a68b9a0f86fe65ce44603d531bcf7bb39160ad6d325a2baf5f9c33f94322

SHA512
21970ae2c52daccdc50135c3b63f5bba6d1f310f670c3846a7d9e113a81deff4597b0fe2804439d43b57aaa8ea7620c6b7bb94e414b17ed2cd4f6c609f5dd8dd

Download Submit
C:\Windows\SysWOW64\Opihgfop.exe

Filesize
80KB

MD5
8a511d349ffbaff2c60463adae15726f

SHA1
45d3e16bbe1f8f5f3a360101ed871cac760c08da

SHA256
ec45956aeab3b5957076c1b5cf3ed6a040ea75b85439fa60cb902d6ae2f4a057

SHA512
49211132c91a628605ed2b390adf208daeb4a9b803318f027d2f2cfa676bb637ce635e84e549c61cdf1fa65f39f840e2b91ecf4b5c7d022815be280a45d8d55c

Download Submit
C:\Windows\SysWOW64\Opqoge32.exe

Filesize
80KB

MD5
8bac579346c9bc5522ab4788dceeb200

SHA1
cd06469a0c6068fb6ce9c56fb5bf9035c5d0432a

SHA256
e8f0c03638566c63d8b7b4c476c8b2f28c669534e91e00d0f97ac3e7f2f20650

SHA512
21a0ccafe0dab0550b77c9684fbffdf630f99d58d0f222605499bc63e6e6b27e98e89bcb2d8df4278afae22d278347bb4187b26b16aa2f68822c3c536b375306

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
80KB

MD5
e9a60266dd56c648f9aee2688f0c3f9c

SHA1
b6e81f70d3294b51dbb43da0344b9e8c3b2007a2

SHA256
54786861c5a310d8238b2c23b2966a3fe207838c01aa201cfeb8b426f6d2e21c

SHA512
91759afa4eef2f5b05c74cc1f4e3d7d13660a9df65f99a0b5f1da82b2feb389eb026f7de30e1c0ca24dcd37b7cb3e5905a83310f7b1983625f2b4a8e0011ea8d

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
80KB

MD5
285c274bc93fff1db7c0914260740b70

SHA1
eca2b53ea650650bbd8f8df5ec819ef0a1ea7346

SHA256
2db1bb46fe122986d94fe12e7d7df435fac1eb7993ce494bcc58965156a73e6b

SHA512
433b289f8590f94a6c41f683a86137421b558727f9696b50c17c72d79dcdc13efe020039afaaf8cd7171b73c59b5ca819213b0b2195c08a7d79b42a34b3443a7

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
80KB

MD5
5f553c95f85e0a05ab9ff98fb96598b3

SHA1
9ff202b8afd3e994627ebfb854bdde464f142593

SHA256
c3a9103090d6f20913d9dfd362182c05255295ee05ba6695ebf44e190b1d875a

SHA512
653db30b1a3697d57294660e8f46dfde98950ba4c7a43be8c4716e3d3755495cae6796eae072a7d8ea2fac678cee08e8fd48f4a7f37885a362ed593d0178fc02

Download Submit
C:\Windows\SysWOW64\Phnpagdp.exe

Filesize
80KB

MD5
520329a5f04a18327cd55192dccb28a8

SHA1
d896eb8e3ffd5bee4e7a1b07e92b056d4fbd015c

SHA256
c8715e017a9e4ab93afb5f48294f1271821924a4875d5b607dd98e025082cc7e

SHA512
893e0cde4cb4cab7f52853a2bd9a09c5bfebd8dfc4ba8b352a5c6eaa9be214f0649816e02d092a675ca67bc78db331f05b4c0234637d7fbb3c8d655fe93645b9

Download Submit
C:\Windows\SysWOW64\Phqmgg32.exe

Filesize
80KB

MD5
21ea930e1acf6f881d1f8f77f924fa63

SHA1
26c9bc286b4fbeee872f99c795f83bab46505a38

SHA256
fb39864beb5c257bbb842661ab193949a44e271bc37f28bb34293446027c1721

SHA512
127667dd7d2ebb7d9480b9b26fd6229d2171cca67fcb51cf5dafecc3325954e33aa2cf5d5aac18e35ea79e520b1929f1d91362d17fdb5e8d3ce53b4aaaef0514

Download Submit
C:\Windows\SysWOW64\Piicpk32.exe

Filesize
80KB

MD5
4a5c7a2a6e886f2209772468394d3751

SHA1
a7e9542b38fc46a2b8ed362f4f45283b642a23fa

SHA256
3c12400f13a1f84ed3b686a3bec6ff1b7e7b7453c8fd9a210db4012dcd907134

SHA512
780df73ba73b7c8597d41a0a3252dd3d66a25a8bda559f8e1f256af1e3cc93f248b380b90440790d42e1788fa2a7fbea1f9916d872e46d3f2921956ebdd322cf

Download Submit
C:\Windows\SysWOW64\Plgolf32.exe

Filesize
80KB

MD5
758a729183d06e98644f48e61897b0c5

SHA1
98e76ceeadf3c2975a7a2a57d83d7c19494f80c7

SHA256
e3640a2a494bbc78454f667eff4a78ffeb47024b061873afb81ddc36bdc975b3

SHA512
076d0782b92ac4b6d213f7b74c62ead571f29d538b63d627cc280d7b3c0e3b41d7359c3a9c421801726f5e5b62883a9af49634fcbf58106c9e816b93e2f229e6

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
80KB

MD5
c90b7a02beb2a0895223c4117ddb8e4c

SHA1
f48714468271d953dda49130c970f6b195a80ff4

SHA256
ef46813f940beabbb3e511287d5c3e2e762d0cecf8fa49a7a3057d8449ca1fad

SHA512
08f69abbbb3cd3df225982fe5d7e8102158aa8262931e1b6e01f0d00cb4093efecf07b5596cf6e67e029c65128301d54b29bd31e8171f21eb1556d8d1f5d2e3d

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
80KB

MD5
cbf3a5ea7dcc7f3d83c9000fc45d7688

SHA1
ca0119eed3aa1aeb8512bd2c67ab21c64840bb3f

SHA256
dd0024c26685ff114bdf8fff0569d88af1a2a113c7c6ddf5540f4c901ca32ce9

SHA512
bcc358d8f9603d693d5de13d9bfcd98aa7e6bf6d261b5c43dd5486adefac58b755426939afc3ebb13dfe27ec3d80b2b051297a99bf58dfbee96642ea22a1bd8d

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
80KB

MD5
c1a70e1e9cd336bb2b356a3f42e342eb

SHA1
6886f56272f71883cfbfddfd906621608c3a97e8

SHA256
8ae3da2c7bd89f9a959d3b5f40d0ca870353b655e1ac06fffa763ca7d5276a33

SHA512
b87aef37ec1c947229825896cb2b550b439615ba02f80ddfc4c4a9a2330d08153b57d2aad27c3ef722bd63bf3c4406f0ca18f48f33de08b5a25ec1d14d16b2bf

Download Submit
\Windows\SysWOW64\Lcofio32.exe

Filesize
80KB

MD5
80e134df3a71429d3832543281c38013

SHA1
d53d41a5fa33e8fa3e322e466eb7d81699688703

SHA256
9b65e1673e2f522551a0d05137c724d0a765042980ed41c1ec98085be80e55a0

SHA512
c52f66f26ab5c9346cdde520d939d07c6d55965e416f5e7e617e3034e9ba4879c81f6f839842d70f0636fda7e281a58423ad45cbd56ff21e70856da02a4d3e70

Download Submit
\Windows\SysWOW64\Lgqkbb32.exe

Filesize
80KB

MD5
9203ce0bfa62e108394f8126466edf5d

SHA1
686dec80f5ec3b668ae4c4e4a112fa30b6c4f82a

SHA256
05e10aa95d9aaf493aadddb9e8ced71ae726eed921ceb54d3f201ffa7f8be71c

SHA512
21b79d83d6631cb5a00eb38f331ea2edd3008382b21616d5efff38858f2d5422a1a5ed24183aaf1915d5d7af7ffb8687409390217483b009d17f476648938db8

Download Submit
\Windows\SysWOW64\Mbcoio32.exe

Filesize
80KB

MD5
407306119ff81945665e2cc6691887ce

SHA1
ea4a5b278f3b505e64a8a0c71b97354ab16aa9d7

SHA256
253f0215459a13d5e4f8cb51d19b59c8ac34016ee43cc729cf49b3db6ec72ab5

SHA512
41e07f49b30de0368792c239dae642566c6fcd2a473f04fdffa4b8cf31ce26d70cca6425e1b5f7199b0bd91d7e381acf1cc10b6c9850a1475934d1aff4268308

Download Submit
\Windows\SysWOW64\Mcnbhb32.exe

Filesize
80KB

MD5
ae89b42c09b287311b0a8ff2fb4559f0

SHA1
f54865d4607e078acfa20ef8ba05f5acb106d23a

SHA256
fb94bef9c18c535afd8ea72aebb02b20a40f1644dfe1916d4c77ac0dcee620df

SHA512
c902e10be6442fa365181116667fe74ea1d21919b5a27b6e21743e028dc5d534571a0a8886a70380af3d54259fc163e801ecb9745e89c9f837a951e5e308f732

Download Submit
\Windows\SysWOW64\Mgedmb32.exe

Filesize
80KB

MD5
69e9c2dc6b16ab7d97f32b27f436f72d

SHA1
94094066e813563a6265a8d28ec3de553dc0ec17

SHA256
033c777d55ae9cef170bf9bac52576f2fb331bddb48cf18e96773f4d0e249df3

SHA512
581f5609252071dd404b1e7f834509a3cbfcc68f662deebba62274750343d27287fda4861467ad74f390983ce394557ad0f9326f53b158914f188f4dcb9dcde3

Download Submit
\Windows\SysWOW64\Mjfnomde.exe

Filesize
80KB

MD5
ae08c1f7998735d9f0eb495ee6ee4646

SHA1
39f1b8ac04b1c824bf41403b7303af50c470a4ff

SHA256
f8822c3ebd6cdb523e94ee57025d1f03207bb6e863a2171dc79d64236fc0d94b

SHA512
866385497f0f3acb001a0a3cda7e012d3244c1152797e096a0187e7de572bb1d30fbb060ff3ec6b1efeec6a3a6fa90db5aaef48a759b98fa79dbb555b982ac41

Download Submit
\Windows\SysWOW64\Mnmpdlac.exe

Filesize
80KB

MD5
36a7739f83c5d893fe336813030c9cbd

SHA1
ebb5a86496f2e034858a1231d733602ec1cc41ff

SHA256
1e0f837c958e12aec18454a205b3e78e5131c157243280d53362632a937d0184

SHA512
f0325ceec1b5d27b830b9728bfa604af8461fda0019d9a86b62947a8d38324616d0ebbf11c345cae87e00012ae089ae5257f1e51b27b3c3e88e7d2111f14a8a6

Download Submit
\Windows\SysWOW64\Mqnifg32.exe

Filesize
80KB

MD5
4d682affe39fea05c966e2d50695e531

SHA1
655f38f312d00ec376d4b0d106ee2b6a244db33e

SHA256
cef786727f6645de4d9aa2f1fb923735ede1bc10dada075116aacefa0cbbb786

SHA512
ad7321773f9653cf20d065d193d254d224efa25e2553d517c8961e83109494ef8b6a1fa586f0d3dcdd03f9f698baef07de506fb16188dd91e83d324e7d235692

Download Submit
\Windows\SysWOW64\Nefdpjkl.exe

Filesize
80KB

MD5
8774cc1dd61e134c3ce8774710762c63

SHA1
b1a145aace35e47b580e0a6703fd93f08150828c

SHA256
40ac8733cf416fd993dd686d6a40d3560649ac66d67361c2c92441db830c487e

SHA512
8d226bc5e3afecb902297c5a64255e378b246c653ca20e42799d60c6a60a0e8b90ea553519a88922ee517797459575faaf6503cb2e36cf3391a670ea7ea07764

Download Submit
\Windows\SysWOW64\Nfahomfd.exe

Filesize
80KB

MD5
02d06a1daa6c79c28a321f5b6da89d0d

SHA1
2d8a4faa7b84e121464d82239203a9af57ffa9df

SHA256
f8884c54891a0ed967f79190a5b7969f09742bcbc5f2f325625bc4b5835a5c33

SHA512
d53653b155c31643e95a42d1e51f8ecf15e38ee0a0df8316f1ae459c2b2244058830bb282f8d60fe43c544aa9e5e5ef5240ff76b24611f9c7b4f3f4da01af27c

Download Submit
memory/304-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/304-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/304-194-0x0000000001F40000-0x0000000001F80000-memory.dmp

Filesize
256KB

Download
memory/448-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-219-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/540-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-253-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/604-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-252-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/924-326-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/924-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-330-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1028-238-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1028-242-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1028-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-304-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1164-308-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1164-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-140-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1252-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-502-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1344-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-447-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1448-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-448-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1520-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-271-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1672-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-275-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1692-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-492-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1704-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-167-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1704-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-416-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1708-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-297-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1732-296-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1732-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-378-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1820-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-52-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2008-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-372-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2040-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-38-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2124-477-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2124-481-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2124-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-260-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2204-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-264-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2376-115-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2376-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-282-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2380-286-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2380-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-318-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2460-319-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2460-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-350-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2480-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2480-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-88-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2644-336-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2760-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-361-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2760-360-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2784-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-436-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2804-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-459-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2984-61-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2984-398-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2984-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-473-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3056-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-390-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads