berbew | 284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
Size

74KB
MD5

49c6d7fb811f9c62a58c022f673c096d
SHA1

295e58eea8197971981350d552b6d21068d22112
SHA256

284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7
SHA512

de109e52838b39d1c146174a4422704db690db851d8bf26f219f8a4d1f4d66d19566c9b7e5ccbb6e3423b8bbd7550bae315522ca813c5f7111223940f418d3d1
SSDEEP

1536:DGgswI0BUT1Ehx41uEECAjeFNNDOlYHIizOgyJ5zxbZ99UPrb3SD:lswI0BUTACuEsuiSHIiCf5z3Hk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhfcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neiaeiii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcqombic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcckcbgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfdddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcqombic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfokinhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcckcbgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfokinhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ompefj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjcip32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2488	Mfjann32.exe
2252	Mcnbhb32.exe
596	Mcqombic.exe
2696	Mfokinhf.exe
2660	Mcckcbgp.exe
2708	Nedhjj32.exe
2576	Nfdddm32.exe
2168	Nlqmmd32.exe
2360	Neiaeiii.exe
2044	Nnafnopi.exe
2724	Neknki32.exe
1448	Njhfcp32.exe
1460	Ndqkleln.exe
2224	Njjcip32.exe
1088	Oadkej32.exe
1360	Ofadnq32.exe
1980	Obhdcanc.exe
688	Ojomdoof.exe
1864	Oplelf32.exe
2212	Objaha32.exe
3020	Ompefj32.exe
1060	Ofhjopbg.exe
996	Oekjjl32.exe
904	Opqoge32.exe
2944	Piicpk32.exe
1580	Pkjphcff.exe
2628	Pbagipfi.exe
2648	Pljlbf32.exe
2672	Pohhna32.exe
2952	Pojecajj.exe
2108	Pkaehb32.exe
2556	Ppnnai32.exe
1064	Pnbojmmp.exe
1780	Qdlggg32.exe
1764	Qiioon32.exe
1268	Qpbglhjq.exe
1692	Qgmpibam.exe
1648	Qeppdo32.exe
2920	Aebmjo32.exe
2932	Allefimb.exe
1672	Ajpepm32.exe
2528	Akabgebj.exe
2216	Aomnhd32.exe
1548	Aoojnc32.exe
3004	Aficjnpm.exe
2240	Ahgofi32.exe
1012	Aoagccfn.exe
1324	Aoagccfn.exe
2284	Abpcooea.exe
2468	Adnpkjde.exe
2736	Bhjlli32.exe
2792	Bjkhdacm.exe
2668	Bnfddp32.exe
2680	Bdqlajbb.exe
1248	Bccmmf32.exe
3052	Bkjdndjo.exe
2876	Bjmeiq32.exe
1952	Bqgmfkhg.exe
1136	Bgaebe32.exe
2928	Bnknoogp.exe
2348	Bmnnkl32.exe
1664	Bqijljfd.exe
964	Boljgg32.exe
1984	Bchfhfeh.exe

Loads dropped DLL 64 IoCs

pid	Process
1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
2488	Mfjann32.exe
2488	Mfjann32.exe
2252	Mcnbhb32.exe
2252	Mcnbhb32.exe
596	Mcqombic.exe
596	Mcqombic.exe
2696	Mfokinhf.exe
2696	Mfokinhf.exe
2660	Mcckcbgp.exe
2660	Mcckcbgp.exe
2708	Nedhjj32.exe
2708	Nedhjj32.exe
2576	Nfdddm32.exe
2576	Nfdddm32.exe
2168	Nlqmmd32.exe
2168	Nlqmmd32.exe
2360	Neiaeiii.exe
2360	Neiaeiii.exe
2044	Nnafnopi.exe
2044	Nnafnopi.exe
2724	Neknki32.exe
2724	Neknki32.exe
1448	Njhfcp32.exe
1448	Njhfcp32.exe
1460	Ndqkleln.exe
1460	Ndqkleln.exe
2224	Njjcip32.exe
2224	Njjcip32.exe
1088	Oadkej32.exe
1088	Oadkej32.exe
1360	Ofadnq32.exe
1360	Ofadnq32.exe
1980	Obhdcanc.exe
1980	Obhdcanc.exe
688	Ojomdoof.exe
688	Ojomdoof.exe
1864	Oplelf32.exe
1864	Oplelf32.exe
2212	Objaha32.exe
2212	Objaha32.exe
3020	Ompefj32.exe
3020	Ompefj32.exe
1060	Ofhjopbg.exe
1060	Ofhjopbg.exe
996	Oekjjl32.exe
996	Oekjjl32.exe
904	Opqoge32.exe
904	Opqoge32.exe
2944	Piicpk32.exe
2944	Piicpk32.exe
1580	Pkjphcff.exe
1580	Pkjphcff.exe
2628	Pbagipfi.exe
2628	Pbagipfi.exe
2648	Pljlbf32.exe
2648	Pljlbf32.exe
2672	Pohhna32.exe
2672	Pohhna32.exe
2952	Pojecajj.exe
2952	Pojecajj.exe
2108	Pkaehb32.exe
2108	Pkaehb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Dkodahqi.dll	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Gaokcb32.dll	Ndqkleln.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Nnafnopi.exe	Neiaeiii.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Mcqombic.exe	Mcnbhb32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pohhna32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ompefj32.exe	Objaha32.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Pbagipfi.exe	Pkjphcff.exe
File created	C:\Windows\SysWOW64\Pljlbf32.exe	Pbagipfi.exe
File opened for modification	C:\Windows\SysWOW64\Njjcip32.exe	Ndqkleln.exe
File created	C:\Windows\SysWOW64\Oefdbdjo.dll	Ofhjopbg.exe
File created	C:\Windows\SysWOW64\Hopbda32.dll	Opqoge32.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Neknki32.exe	Nnafnopi.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Njjcip32.exe	Ndqkleln.exe
File created	C:\Windows\SysWOW64\Bhapci32.dll	Piicpk32.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Obhdcanc.exe	Ofadnq32.exe
File opened for modification	C:\Windows\SysWOW64\Piicpk32.exe	Opqoge32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Neiaeiii.exe	Nlqmmd32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Objaha32.exe	Oplelf32.exe
File created	C:\Windows\SysWOW64\Ogqhpm32.dll	Objaha32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bkjdndjo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2364	1964	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcqombic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nedhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcnbhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndqkleln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcckcbgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obhdcanc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompefj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neiaeiii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqmmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oadkej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjphcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njjcip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pohhna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlqmmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfdddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obhdcanc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nedhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll"	Ojomdoof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll"	Nedhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcqombic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll"	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll"	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll"	Njjcip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opqoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njhfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddgejcp.dll"	Mcnbhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2488	1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe	31
PID 1488 wrote to memory of 2488	1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe	31
PID 1488 wrote to memory of 2488	1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe	31
PID 1488 wrote to memory of 2488	1488	284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe	31
PID 2488 wrote to memory of 2252	2488	Mfjann32.exe	32
PID 2488 wrote to memory of 2252	2488	Mfjann32.exe	32
PID 2488 wrote to memory of 2252	2488	Mfjann32.exe	32
PID 2488 wrote to memory of 2252	2488	Mfjann32.exe	32
PID 2252 wrote to memory of 596	2252	Mcnbhb32.exe	33
PID 2252 wrote to memory of 596	2252	Mcnbhb32.exe	33
PID 2252 wrote to memory of 596	2252	Mcnbhb32.exe	33
PID 2252 wrote to memory of 596	2252	Mcnbhb32.exe	33
PID 596 wrote to memory of 2696	596	Mcqombic.exe	34
PID 596 wrote to memory of 2696	596	Mcqombic.exe	34
PID 596 wrote to memory of 2696	596	Mcqombic.exe	34
PID 596 wrote to memory of 2696	596	Mcqombic.exe	34
PID 2696 wrote to memory of 2660	2696	Mfokinhf.exe	35
PID 2696 wrote to memory of 2660	2696	Mfokinhf.exe	35
PID 2696 wrote to memory of 2660	2696	Mfokinhf.exe	35
PID 2696 wrote to memory of 2660	2696	Mfokinhf.exe	35
PID 2660 wrote to memory of 2708	2660	Mcckcbgp.exe	36
PID 2660 wrote to memory of 2708	2660	Mcckcbgp.exe	36
PID 2660 wrote to memory of 2708	2660	Mcckcbgp.exe	36
PID 2660 wrote to memory of 2708	2660	Mcckcbgp.exe	36
PID 2708 wrote to memory of 2576	2708	Nedhjj32.exe	37
PID 2708 wrote to memory of 2576	2708	Nedhjj32.exe	37
PID 2708 wrote to memory of 2576	2708	Nedhjj32.exe	37
PID 2708 wrote to memory of 2576	2708	Nedhjj32.exe	37
PID 2576 wrote to memory of 2168	2576	Nfdddm32.exe	38
PID 2576 wrote to memory of 2168	2576	Nfdddm32.exe	38
PID 2576 wrote to memory of 2168	2576	Nfdddm32.exe	38
PID 2576 wrote to memory of 2168	2576	Nfdddm32.exe	38
PID 2168 wrote to memory of 2360	2168	Nlqmmd32.exe	39
PID 2168 wrote to memory of 2360	2168	Nlqmmd32.exe	39
PID 2168 wrote to memory of 2360	2168	Nlqmmd32.exe	39
PID 2168 wrote to memory of 2360	2168	Nlqmmd32.exe	39
PID 2360 wrote to memory of 2044	2360	Neiaeiii.exe	40
PID 2360 wrote to memory of 2044	2360	Neiaeiii.exe	40
PID 2360 wrote to memory of 2044	2360	Neiaeiii.exe	40
PID 2360 wrote to memory of 2044	2360	Neiaeiii.exe	40
PID 2044 wrote to memory of 2724	2044	Nnafnopi.exe	41
PID 2044 wrote to memory of 2724	2044	Nnafnopi.exe	41
PID 2044 wrote to memory of 2724	2044	Nnafnopi.exe	41
PID 2044 wrote to memory of 2724	2044	Nnafnopi.exe	41
PID 2724 wrote to memory of 1448	2724	Neknki32.exe	42
PID 2724 wrote to memory of 1448	2724	Neknki32.exe	42
PID 2724 wrote to memory of 1448	2724	Neknki32.exe	42
PID 2724 wrote to memory of 1448	2724	Neknki32.exe	42
PID 1448 wrote to memory of 1460	1448	Njhfcp32.exe	43
PID 1448 wrote to memory of 1460	1448	Njhfcp32.exe	43
PID 1448 wrote to memory of 1460	1448	Njhfcp32.exe	43
PID 1448 wrote to memory of 1460	1448	Njhfcp32.exe	43
PID 1460 wrote to memory of 2224	1460	Ndqkleln.exe	44
PID 1460 wrote to memory of 2224	1460	Ndqkleln.exe	44
PID 1460 wrote to memory of 2224	1460	Ndqkleln.exe	44
PID 1460 wrote to memory of 2224	1460	Ndqkleln.exe	44
PID 2224 wrote to memory of 1088	2224	Njjcip32.exe	45
PID 2224 wrote to memory of 1088	2224	Njjcip32.exe	45
PID 2224 wrote to memory of 1088	2224	Njjcip32.exe	45
PID 2224 wrote to memory of 1088	2224	Njjcip32.exe	45
PID 1088 wrote to memory of 1360	1088	Oadkej32.exe	46
PID 1088 wrote to memory of 1360	1088	Oadkej32.exe	46
PID 1088 wrote to memory of 1360	1088	Oadkej32.exe	46
PID 1088 wrote to memory of 1360	1088	Oadkej32.exe	46

C:\Users\Admin\AppData\Local\Temp\284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe
"C:\Users\Admin\AppData\Local\Temp\284264cfd5f4fa242757a36d2868f50eff749e46195e215eb9fc3591a86b9ec7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Mfjann32.exe
  C:\Windows\system32\Mfjann32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Mcnbhb32.exe
    C:\Windows\system32\Mcnbhb32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\Mcqombic.exe
      C:\Windows\system32\Mcqombic.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\SysWOW64\Mfokinhf.exe
        
        C:\Windows\system32\Mfokinhf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Mcckcbgp.exe
        
        C:\Windows\system32\Mcckcbgp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nedhjj32.exe
        
        C:\Windows\system32\Nedhjj32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Nlqmmd32.exe
        
        C:\Windows\system32\Nlqmmd32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Neiaeiii.exe
        
        C:\Windows\system32\Neiaeiii.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Nnafnopi.exe
        
        C:\Windows\system32\Nnafnopi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Neknki32.exe
        
        C:\Windows\system32\Neknki32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Njhfcp32.exe
        
        C:\Windows\system32\Njhfcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ndqkleln.exe
        
        C:\Windows\system32\Ndqkleln.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Njjcip32.exe
        
        C:\Windows\system32\Njjcip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ofadnq32.exe
        
        C:\Windows\system32\Ofadnq32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Obhdcanc.exe
        
        C:\Windows\system32\Obhdcanc.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Oplelf32.exe
        
        C:\Windows\system32\Oplelf32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Objaha32.exe
        
        C:\Windows\system32\Objaha32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ompefj32.exe
        
        C:\Windows\system32\Ompefj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Ofhjopbg.exe
        
        C:\Windows\system32\Ofhjopbg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Oekjjl32.exe
        
        C:\Windows\system32\Oekjjl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Opqoge32.exe
        
        C:\Windows\system32\Opqoge32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Piicpk32.exe
        
        C:\Windows\system32\Piicpk32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Pkjphcff.exe
        
        C:\Windows\system32\Pkjphcff.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        80⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1712
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 144
        92⤵
        Program crash
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
74KB

MD5
aab37e66a7551280a7511dd89eb84fd5

SHA1
5a322a1a1f89913399759dd906f7f7a7501a1c61

SHA256
5f46cbb6eec042732b28b1bb21ca14e7e4de2bb7617618b49c2bdf3604dad167

SHA512
e2e95319a04cb98ee15f38e3400610439f3a00e9c463cd60a48e60493a78c2e359cff02fa75cadf1148ec9d530cc18892e54e78f153af73fd6a9f803e59bad87

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
74KB

MD5
39f0bd469fca601730581df867fa5d3f

SHA1
f6bb36efdee9a0a4985a6b1b7e2f9fd22965cfb3

SHA256
6661932951fff8f41affd133a47107d098bbe383dab63ae69047da31a7dc121b

SHA512
e7fe01af244d8c481b91a6b9016a047a86a5658a1f372c283a5c179a1b2a6f655109339084cd014ff6791beb8b9990f2dbf22d2351c60196074c71221c7cd185

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
74KB

MD5
1f10983ebc9c6fa127e4b05e6ad3ab33

SHA1
6575339132598ae521ba89d878f4bafb9c52f926

SHA256
4483f87692edcc464cdce8071e2a83dc18ce23dbd99347cb11565b229588e7ff

SHA512
97e04069edb991ace8f7655032b6afad453fadc4a9820eb01d8244e0dd0c03668cbb0e25809670adc004ba3a75b91d34de1cab251a5fb2d9cf6a986480661cd4

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
74KB

MD5
7501a3754db8c3ea241320a5e64fd926

SHA1
14aba724c06dc2edc48b75977f0c5d25d8f3eabc

SHA256
8ef8e2c397e2d60f535578febcc352daef32c0625a7e4f7b456d86a8936db8f8

SHA512
186ab6ac2dd28d2a1bc41390389f508e82200f9d8d5ba707e59ead779476bc3d742ced1956fb766f4c2f9a75b5abb2d9b0dda4f9a618f55c4774e178fc8af3b5

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
74KB

MD5
bcd233e53d18cd61f417fff13da85da0

SHA1
7ee18b5559a033afacdcd5ffc3c83f968db190be

SHA256
c03e2e6100e96e96a777b6bca5c5462d7d839f9281bd1699ed2965173981e70a

SHA512
1a6ee3bf173d33b4cc093ab86257eecea6cd989e1ba143e75e38489458fac8b634e911d172b533d54acc48189577c9c9933a95eb3cc6641c3dc50c6b6da54d71

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
74KB

MD5
3d69f13c8c1f8f193fd249979ab217fa

SHA1
f9d19ad5d35e21c936c89dd7dd6775cc3af6fb7f

SHA256
3b084be91a3e54efe655f8a391d19859fb1a44db02dbba357f1d5c573bcb7ef1

SHA512
78114f32c89d7e70b18f8b292968c6312f2df5911efac4480b9b1c098437ac10d081ac967799677a0913abca3c04e8314cc70e6411bb9a8151ee2a726ade3d5c

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
74KB

MD5
7508aa8776bb4a53a69f0d68fb77db03

SHA1
b58b3e9482af9a47e4a811b34818688f1692e79c

SHA256
883e3a6b9032ee84745200194a005b93cdd062887f16f50c671abcc3ecd919c2

SHA512
7bb478d0c4849fa3d0429c7a6e3014bc02cbcda130e0b4605337942b512288776b1f4452eeb3fc1591b96a4e614d66feb1c610b36f2bf96d3598909d06a66048

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
74KB

MD5
f8d36bb55e4821919d565c6437babcca

SHA1
c13231d7164ef56a7ccfb836f24bf83144863524

SHA256
6bee5737a435faeae5dd403e55a67f30b2e7c1ecb04235e28cb37c3f2f2ee601

SHA512
efd0a4f78db88a8dbc202849f99b4e7afb3a5218d5f81ebe42ff95d8fd4e1efe5da5f6d47301a828fa760e45617192705de15b155cb4f43b503907fc7093f37d

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
74KB

MD5
e7b439acf6b76d2a3ab773dec5688458

SHA1
94f5124c0c83619318a75b73a2c49c4d1cf1efbc

SHA256
ef159c28371a616a16ddc84cb13b583528c439b3c9066846c94aefdf39197ca1

SHA512
c294f19c01c0ff500f2d67b54c079b6da30423f76f77fae1cdd70f6aacb7821d097718a63984a75b88db186cb6647a00ca0a06a26caa6c55c50713b55254272a

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
74KB

MD5
ec84b5fe68e198fa97b68510510b0ee2

SHA1
1785a23e1a8d227a8357310eb27edcc146e108c9

SHA256
9f93766fe70ab2a981f28c614642fc050e0848a11e46fe7270f9c79d7a1d2d65

SHA512
b563eb2e59a6bb17ff21d711687730be59f217146e5a7eb7c4480e18313c5eff3223e7a567c71c3614838073805fd3002190a007f163996ab5bb562ea6b92b2c

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
74KB

MD5
36f1681a64f28ee3751dc1161c612721

SHA1
406188766bad7f6945824afa52b8c56ffc14f49d

SHA256
dc52d7c3795989212e5cab5fe373f2e0f7e330f4a05f69ab3b4276f95941646c

SHA512
a85e534d66f7387ad122ecdb2113586be0f93bf334cce0e78ebf838537235f1180680f6cfe8ce57a7fac1d60beb828365afaee62467352de21df074f2f0c80f9

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
74KB

MD5
136e2ac257e01f7a996e3658832595c3

SHA1
8a63c0daabc8e17c06f415e53fde10b52ade7959

SHA256
8bfebbb0fce5ae09c28baea043cb1d59616cefe5b4d1b11fd99fd60b5e001404

SHA512
46d6e000b0c3a25d6a5ceebf0f6fddf0cc4ccc0092ae3291e313ee9cbcad90af912f6f8422c2eaed0028b7a764fd22d45c7259f09a8e839c59fb146f5c4da56c

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
74KB

MD5
1d14b77f2d7af32dca03702b23a406e2

SHA1
0218ff92dcc4c2b0f380cb8c5630479b3cf8e828

SHA256
2aa0dd6b9adaabf6266aa09534750593a5fd474f7b4592930b8924a3d7e7d9f3

SHA512
5dc4b068fab9527e4864860ee692a6a9883cca7c4e6f4aca9e9c2828cc41ed03b848109694a9ec54af40bb11227eb4980f50901d5b4217bbfdd0137c7435c3ca

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
74KB

MD5
41e9def354995471fd152175e3bb2661

SHA1
642b2d40478bcd190790a0e02ab423f147cc4a74

SHA256
283e0dfe989aaec33c1fbc86b969a002bb475ddef7315e2752e5268c7bec059f

SHA512
aff46fde61b739ae15f387d3749034d37113e10f801d5f9e63f3766b992eb0837cbda0218104fef85d4f85d1b7bc42a0a33fe8ca790867455e5f115c882222e1

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
74KB

MD5
74526e2b95c63d248723ae23bdd78096

SHA1
e5aff8817a2ae18dab664fbc5338d574583f00bd

SHA256
c8d08ccdf8e635357143234c8883233a20bb8cb079125c3a2cb6166fc314e80e

SHA512
33996bf26bf0093af78beeb641843700d2161e103f6e65dc0bb3c8576440945567c2c511fcf8426dbeb4f2d3c4653f985352220963e5ebcb1530f45275142ae1

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
74KB

MD5
e2295ac084972f91f6fc111572f81f98

SHA1
b14afdf2fb561a8de607485bc647804bf85410e9

SHA256
3f5f38dc40167bbbf493163391bd68c8dd61ed92b249eee2aede2b8f5c5bfded

SHA512
76e39ae321110ea1aad35bcc55da9dc74797fdb9222217be0479ed90baecf68b3d4ea50a5ada5c77eaff45f080856eeee1f3b0e0223fdeba06971a828a30cdc8

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
74KB

MD5
fc866445f4d738df3031d6d230b5c46a

SHA1
002b71f3554546dc43bb1a950327a42fe43aacd3

SHA256
a16c3b347076dc0fc8b647c2ce741b2a4fa849eddd77f608872d52c8756ecb2f

SHA512
8b01df026982a20068f08d9e20311b0f5822124e40cebee24654cd8d55af1b97d6237c107ec90d48cb4a74540ee42c38396c5ce21923a365e0f651a85aaa356f

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
74KB

MD5
1f1e7ceda936f1d93158ef6c7b72f6dd

SHA1
6ab7d3affac2ff5600cfdff503dfeab5227faa0f

SHA256
d0e43895767eb43f80a5f1376e1d970c08fcfbd3524e7631bfbf1c7b3f4a21b0

SHA512
5347216724ce6da000e7804bf764c867d6ed6e644bb05373cbb45c7e9b9d2b327b5ec07fb9a14406892b076425390d2a841a1b1457168d5c0bed19c9666b1529

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
74KB

MD5
313f8884d8b679e315f37602078ac84d

SHA1
39209cd93545e93a8ebfd3f532c6baefcce02da0

SHA256
7b197449eabb6b1670ca834ee85fde24451527461bcebd4411d3b84d65968bff

SHA512
f94d83ed1b9ed603c1d581970f5511a9535a714ba219c8e4df0c46f15ca27f95b67f60032069882ff5e2b417bc90626e5c617d160f412d4d420c16b3a3efab28

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
74KB

MD5
6991a27247f712756e4b67536c51091c

SHA1
6f35e36a824d11f38c6b30e6e84a5357d4ac8397

SHA256
8e53c7c7879193c1b2c52c3040f519dc8a38e9f708b52680ed479c9381bfca0b

SHA512
8c4e3e9fb77971a5c06d1ce05b0c1dec679cd0bf837e2478c3a25ecd8196d05fb36e367c8bc467ee011069f7d779300760e1cc546b702412c6c096b2412a7e95

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
74KB

MD5
4755d9a80b81f60bf7e945139b1b45b0

SHA1
abfbc88a7377d4a1042c0fc89cdb9618a98d86c7

SHA256
1dfdaf683a83630af3db349fb91ce88853837033cf8d19fe243214f3917df9ce

SHA512
2cc46e941f51d95966f7646cdbe7d3b2638aab30b06c224f9633fc6302cd018c92b015a74ee787f246a300e4332ca4542ab81253e08b3ffa6453ff7d712a085b

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
74KB

MD5
bef3027906621b017b151444f2dcff96

SHA1
6dfc483d5987f6e6546de2ed9faec4e9d61d6cb8

SHA256
12241074b008abea3734c6af2e2dbe9ccfe69f28bb2238b3243f45497189a666

SHA512
c4519dceb1410d181a7fa0358f45ac3db3cb2207d716f4d812b562cc12cc4e1ffc3bfa5d5e8ea2edf0cedeee599fa7232fe40ca6adccfda2c6233d1c9ee66b43

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
74KB

MD5
5b9328337072f733921c17a1d2e5d85d

SHA1
ac6ddb59c5e196ea0c14624e3d4a606478a1950a

SHA256
1a4d02aa0a40b6e39f9551e954b9487d6d70382fc76ea951bd27c80b85e66995

SHA512
21dbd852866a600012e235f9ca46244c9779ec867bb83c88e401054e4e5c8b8e7b67302bfa59101b6fdb9a683a2dc4df151c13cd1b854cbb9ee174c6fcf91c25

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
74KB

MD5
858dcc4a52ab07f618dc9d22b337b08d

SHA1
080d91d548c7f38182eda9b439fda157468013aa

SHA256
fbbfd82019638f04081871316d5375f06820afa2e208d14b73eeb64dd80f45b2

SHA512
8258e754efce8f5380985bbe17d1140e11d6d203048249ade21622a7d6a1e18d0918c8ffc4218457440c9f865facd211a62408bfb34d0e299c40206aec247ad5

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
74KB

MD5
39e2964d595796134445b089d5118a37

SHA1
f391104dc082e3e809e7dd303563e3dd12751a1e

SHA256
7e647c78f93ff3bb013e7e3a2ce89567390a861557da8abf1ec7eaa69ebbe229

SHA512
9d2517eeb91360d132d29f2279444da9bbaa732cfebddc5bdb963b0efd05dbe5fbc20cdd038e7086c1b38cfc58d8a574a929409e02041151a7ac807076642711

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
74KB

MD5
1d8d148481753537184c08d088213340

SHA1
9b206e87a574e4c2776123366441d22dd80fc577

SHA256
9d26aa4927dcbf13f27d9e0424c72350d0b6b4721ab5eb1c6d346eb6b0474e34

SHA512
32adb16061d2d1c2a2a256e471b4eb3cbe44c3effc792abdd077553d53757bfd92fa25e41e1b4301382a57aa68d1088db0139eac87fa8c2ada7e3dc4d14580e1

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
74KB

MD5
c8c0c8cb0a32ffa8f7dadaa6db80356d

SHA1
683635210b6d95e887103e27b5ac367c5e28899a

SHA256
85573313a30f34f77afa6eefd838b4231b421111e370bb92ccd73b0a205bb77f

SHA512
6a0f8a0b42585c0e76ab8ae52287110034d439276bc3070c216aa848b2a1a4bbbc95eec9164fda9c50b8e5442dd10584886b31eb82d306eddcc6ad824b336e3c

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
74KB

MD5
14e628af3ada70b20044be57a279936c

SHA1
61c9b88527e41cb1c85e52f96ff8f3d1ef2c2889

SHA256
2fc115134e9514fa8e8f87675a50bb65fcbb4fe983d7e887114630f68ff55dd2

SHA512
6b638711f52e8a802c4c38d1288edb53317062f37abbeaa3accd37e4058468a44847781787d75f58663e0e844e3c56c480ec366d0a6f74e94ac737b2e85979d7

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
74KB

MD5
b1816e35c7b9dbfc4dd366328066bea0

SHA1
be3e5306934358b9deb3fe1684282fc752df4115

SHA256
b28ac45b79909ebedcec0f46996cbe6f297e2d37f73b261c9a488afeb37f843c

SHA512
abdee501cfbc17202a960091f460d226e2df8e6daff3357492a5ab426bcfd9134fd39b70009799bbbe1c9e7a11e38512bde1ed14dec25c0cdc37ab8ff4bcf20c

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
74KB

MD5
17b940464417ce85c66a1d3b43cd5fbd

SHA1
eee40abeab12a96707c6857510be7803b6d34832

SHA256
852f43ac25efdd6654cc7ccb820c5ebeda8cb9b818368c2e83baa2ccce558bb7

SHA512
657be0fa127b89b806f6e14355d1526ef876ac68b2a97c38bb8f6804fc9f54ecb597ec5fa2afdd2fc3073c5fe075fd1a219465773818fd962d1a7476c7e75e21

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
74KB

MD5
a9916120e60fdb4ed7defbec02c47185

SHA1
cc5df66e8afe5c452b6ad98f41179cc35202cc4e

SHA256
4b79c248b6de0874fffe29fc287cad214becb65e771a8feb970bea15914c062d

SHA512
bcebc9517905cd127750086dd7ec951e70fdfb157b012f1a97f5f3737a84bd3650239fd058dbbe52e544e57c6a00ffd35acc6411190f445c214166e70c53167f

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
74KB

MD5
4e335e0b2dae3cf8c2454bb59415d02a

SHA1
4a9593bd5185cc7caf5847b9133cf8d672ed9b51

SHA256
06922e781ac504fbc30ef6b0379f14cb28ae80e28c9d2f83e7cd67edca500b13

SHA512
4cc1851f228bed68506025da28fd740ddf504b983acbf0d02177571b345e019fefbf4d51a4d5c968bd8f2daa031819457ff4714fe8789030250dcded0bccf698

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
ff5c68098c15c8ee67753b57d24179ce

SHA1
519b0b53be84c87b5bb3b347fbfd9bb0ba8b8f16

SHA256
d3add9252dc983635a1ab658b2cf4326a5fdbc577c5005bd08c85cba9bc1e4ad

SHA512
6e279e6c02b375402468024be89adc3340e2db247cb30064085bf09e4ec466eb01cbf1d527cf5097e82cd7a427351af650164494229489c3d65ebb3943f46b95

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
74KB

MD5
2636042c583d0509caf91bb9dc9a7c62

SHA1
36f0cfd03a899ddfdc62e0c05e092a77c88c01e4

SHA256
21471c79633f8bb3ca5c3c171bf2ab7c766f1f2e70f5d9c6b0cfc66caa541478

SHA512
faf43c73297f80519d96c0d9689a5221c6877643ebd5c91e4023373d770d084f9bde501f445e3cb2dc78520013ef78f6b2247691c0e8ea480fd916da4636742b

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
74KB

MD5
8522156e92c80caaa06ccaaf144e42a0

SHA1
be03f4709ad63ba4f576b90e354d2e402f7e3092

SHA256
a21d032a668e1d48503de2088919beaa3594e8a64d9c9b30e1c9be16b7ba52be

SHA512
6e31cd17be576f279060489c32855ea96c05d87f6de571700d2e3713e829c964e9b53d317da456fa43a444df7d135cac77bae55d4acb2a544c477aef4a7859b9

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
74KB

MD5
f181475e4ab0fce6b180407d0cf2d068

SHA1
db71038323abd995b88074d29c7a9ddc9243bacc

SHA256
a360b53b4975b4e78d265612b147c782085c0822b59109df504ae8e6f5b68b4a

SHA512
20dc6ecb59b5eb757bbc63b5d5f8157d6d74b7ef133894c491ec1a07f423bd818c4c4d1ed327a7a8b3158408d3859c91e1f5623f8adef92e9a0ca878e4eb9aa8

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
74KB

MD5
8ab162dcb82db7a9530448f51b4b2852

SHA1
f6e822b061b5fa3e0eb42ebcc676133b8f7344b6

SHA256
e52c4cccc5e2ee975fb394abaaca0f73406bd77e20a43412b0b1c72588871fe5

SHA512
a9171333706b6b287e55236801aef10687e577dc97e0680e5d7d1ee121c809e54943c27ce88442c5871d99a606f298eabc4d82ef2d6ff2f9d06132721f4bbeb8

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
74KB

MD5
306a1d55dff5f9fb9b9f54d7574f4cd4

SHA1
97d35445035c3be1d7d4bf9ebee4bbba466997c0

SHA256
d7f5cf7b32d38521be0bc38670316440e9fcbda816ac63f66bda20a033c7a52c

SHA512
d53933959ed139e017f067a4ffade651697e4717b4994286aec4b569fd1ab2f0521a8f9ad5d79e75450705185ba2a04862c7f897131f945ef177444b8138f8ec

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
74KB

MD5
08fcea0ded7352c8fc273adcee2ccdd8

SHA1
9d113ec441f6a8c6747b7faed7ca9b0d8dfb181e

SHA256
0c37750955f9470bb030f39151d6a403afb18248c98820238bfd489ec2b61aa6

SHA512
1dc2a9b4e1243b063bd7836ccf27802451205afc125f6fba4c16c0c1c2a8b7c0b36224cf7fb03b64d31cf3c88b5278ecbe9c3f41137c3a9d1be9b763818e08e1

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
74KB

MD5
0d085245ff9b80e76a1e4361bd7f6c19

SHA1
54ce173f64f2a3a75e5d65495728a4aeec80d657

SHA256
27173522b6d0fe830aa7725365e8ace72fd926b163c18eeca5345ae53b14b41a

SHA512
e39eb153455dbf4e81c411434b1e2db813d17186d19c67233ba278d7927d1ad740b14cfb4d415eb6f98b0d51d047e673db11f666f437e70d2e788cf427de97fd

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
74KB

MD5
b5be0ff40e3b66f5f44a31a1d8ef4b86

SHA1
5cf5316784f3f29abf4fa1c8fd71fe28943dcfa8

SHA256
b54f0d6fb27e6c37ea08b1e37b05aa0763277ef79d0e1337e98f225ed4515a3f

SHA512
0cf87db13ddbe2d49a74408991f4c105e8f3f57d33987d8dfb9a8d1013a37d6328ba227f0777040ea6d7e151682b11f35ffe59525fa4ce03813f095ba3b91bce

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
74KB

MD5
a280c8c7bada6082da4fd344cc4152d1

SHA1
eb764667cc244b59545f95fe006fefb7b2ea9fd0

SHA256
7155e73f511b59a42d138dc598da9cfb429aa6e5d94bc7ac74e06327c78ac5a5

SHA512
8d0680255975737c18689e6be618d3642fd8cd220b4c9651bc1696e4aaaf1efa982495fb00aef072b937dfba93f99e3c203e129b9ca6a95357a2000e17d8e55e

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
74KB

MD5
220bc11ada6f2396a085c40e3c335c35

SHA1
987514570ae11a04fb9306cbee060aee4f21b268

SHA256
0b7163ec9d0c3252f387d80c1d25a7dcc609edee974db7b8e3f7d359fadd4193

SHA512
a33350b1370babf556e0e483f00fb8a42bab5d14d9c9e784771c31ab81aa99c5cbe9fdf53647a21feb5b675a6309013f601f42dda6dddc829d17165fbf6bad39

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
74KB

MD5
3f2d8b5ae8ea708a134e67193883db18

SHA1
c364839c5580556958b38d6aa843a1e1c4cb6b7f

SHA256
903b6ae71ae643ba39a965111aa51a74d2a7ec02d3a96843fe67a52d6e28824e

SHA512
8eea4d88377e4ac506e8aae92bc421c50ce15a653364a16736c609acf5fbe5cb90a8af8683f8911931499706344f8aaf60290590166649b2a1a11fd0489a2595

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
74KB

MD5
2221c79334dac26c18d6c5129f1e49f3

SHA1
2dbfa53070a7384442272860f8bd0f00682924f1

SHA256
f5602740ebfa9ed48d6bbfb74694b888aef3343b74608977a5139c9ba2ab6d8a

SHA512
0bf39f08fa9fb32555d8a0d7884f0850200271722f1a48e1f79b6d55e7ed06e2cfc792112e3e0c8f8d4cf59c89ea3697ccbf88dcb680a5c027182bfd0c4a659e

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
74KB

MD5
ce385dc419aa4b6ab8c08c7905e3fc1a

SHA1
bcff9893e0b2ee24ecbdd01faaa7f4ca27f52ada

SHA256
00abeadf8e3ef770718e6938a0ab7dd7ba19b3789546d66734ec2e189d8428a1

SHA512
8fd1249b57d1b6d13f0450591adfb7d74a1af3092bf0d91b98b411a1c73351c6d21b0ae5c2c3993b453e64d27d0866888a0af7341dc54aeb763503668a72623e

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
74KB

MD5
a7ac4f8c81757e82875baa2b04091094

SHA1
1ffbcc966f4c6105e8deda2d667144144eefbc28

SHA256
d784063794511ca9d15425730952989885df074f817ff97ad3f66de94c0c0e29

SHA512
0fd4c7df8012c930c0d05c2a5be257c3ad62bf627a51ba2568021389d3099dc15e4d9a7e79dae60dfcf43a5548d042f0675306d8f2728117fe06e5cbd14bb4e3

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
74KB

MD5
54a5781eb33bb1c5d6c764785b6ee3fa

SHA1
950b614c26c56c2ca0c10f9a5fe00113e420447b

SHA256
4fc217c7bff7582a9e6ff6ea07bd2ea7c7b2f78e93b8feecda0cc0148e8697ee

SHA512
3585a015e5bb1d5de1a0fb83d10a317dac5a42e303be263ccd580016703f1d58d10af68738ee82be5f8de9131284c105f9327cf9f91a0ccd5d1b5eaf5a97ad34

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
74KB

MD5
6c44b29463dcc73e02653d015ffd7dba

SHA1
68430d1867ff514b9db001b25b3df6f365b57d58

SHA256
b611c39cccec7640df2eeb185dca707a5f6a99bfc7e2efd9216cf00f52d6e93c

SHA512
5c2a19506991c81ef8db33812c9cc8ce481d0e5bdd09c7667f7f358fd051e9459ef4471e33d948f8fcf3e34ef22e5d2f1cce93e6e0f5fbeae3c7b10a632e0db7

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
74KB

MD5
c82b59cc568bb520d8d246bfa699f42d

SHA1
11b85a086995e7352eb8dbe5f1e41d5862003631

SHA256
926443e2f3bfea944bb05d434d3a5e5433e7293c65d6f202a11469ffd036b7a6

SHA512
15c3be969a1fcec9fabec55fff711c993c07e3e24f10085404a94282f7b141aac90805310f535da4c0c908728ec66ebf0e3cb760f3b1d71d5586bedfa2b04e24

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
24289d92b8a272a57efc82519d06f0d2

SHA1
703c246dae5ca431ce19e470505073967da4f090

SHA256
9d622b160d05b7f45ccaf491e9aa41a91754979985fd9327e6d15e5565a1f329

SHA512
72c92a7ef1b17d84cad90739646c6a4b0be6af2f8b77b79c7cdff13168920fb9b7bce061465a7eaaed5a90aed41a0296501c010f8f28ccc2c80ea725b9771383

Download Submit
C:\Windows\SysWOW64\Mcnbhb32.exe

Filesize
74KB

MD5
44765cb60a41120db90b2e1d80651161

SHA1
a509fa2c5178e7374056e9150e58151d49ee7689

SHA256
6d208a574b0f224398e9c33a392df67fa5723a790dce67a53a85299a54f3b54c

SHA512
02bb6c34f4b6acf56e3d64da1ad439b5694b947c6df7f01556a8266948ab31e6225bf2fb4135bc916fbeff1c44a8132406cd3ecb05a3c5a3704022f79e646fa0

Download Submit
C:\Windows\SysWOW64\Mfjann32.exe

Filesize
74KB

MD5
c25ebc54632d4c0fa46ad364ec2fe716

SHA1
7f91bc6466dcfc43112637926b4b1b3b0bbef946

SHA256
50183a2a43d731e6a6f39f46ca3394be0c1e27dd314a30b33815569ae3d1ed10

SHA512
9b0c84e936846f5a7069a46c82c6e5d967b224906496f7127a1ac8f78e20d32069103bf5e2d01377c7a0dd856d4b84de9e225faf5d49d47ccf61dc0df9997163

Download Submit
C:\Windows\SysWOW64\Nedhjj32.exe

Filesize
74KB

MD5
99570f78dab897a60e8ee8e817e9db0e

SHA1
1e9b72c8447abb4230a883cfabb18b3ec75903f0

SHA256
f5cceae73ac3fc159b179f070b18eb38ee807229e47ce785e6f26cb1d0786f65

SHA512
ec9f12a3ee5e23dd824d8f2b2c2ba4838ccbee87ca06d3db9e6096757d79dd0d64876e03f7ca122142f2e9ea1983e612dd514e019a70516092c4d4d283862217

Download Submit
C:\Windows\SysWOW64\Njjcip32.exe

Filesize
74KB

MD5
3270f87619b8175e06c12644569ce71c

SHA1
daaaea6d2d2fc720998405dd4f2c9706c051edde

SHA256
46e2f351e8da80b2a7beabf8279469d1a80a376e4426feb50c0f8c9c95d01eb9

SHA512
39ba69c8427e1e8171c255282db91520492b2b0602cedce80f613dccadb0e6cd94698faf924e8b76603d89ed810c6f092eeb1c332a4d525953aa2fe48159a4b6

Download Submit
C:\Windows\SysWOW64\Obhdcanc.exe

Filesize
74KB

MD5
7ba9c52d8e80aecec424b4dcea2ccb33

SHA1
32a872481b1dc6b43074dae29279aaecf2fb8bce

SHA256
f26d7eb88d4e06f140ae642eeea9b6ef827348ce7e8cd807875767b37b595e3b

SHA512
6fc279d6677d1c835ae527d5f585e9722d3a69f9a36e04163160c8edc39def6aee223cbef399bebfdacde8f87b402aaafc659d6738d717d525a3525f4fac400a

Download Submit
C:\Windows\SysWOW64\Objaha32.exe

Filesize
74KB

MD5
d44597543a7ee8961bce7fef4a14b927

SHA1
2c6584c1c908a49839ee98c205b2b60b1752c7c8

SHA256
948ddeda2aa235f5b4b152c09cf69503917af666adf8c4ff1c0109a7a38b3352

SHA512
44a155ce704392845ab6eb59caee4580b00f2b80813cc4ffd17090ec53aa8261889e2bf360633941b2b078428245376b4c671184269c64af198dbb1edda1afbb

Download Submit
C:\Windows\SysWOW64\Oeeikk32.dll

Filesize
7KB

MD5
4978eb08ce91f119107be9f15755f5dc

SHA1
e27ffd278b64f74554a96c9426a52f9b2562974f

SHA256
dc779fe31b2cce5a1e6fb17b2f5bb4c823d0ecb973371fe041e176826348c58c

SHA512
c6f74f063fe8bcfe40e0f4e83c61220ad5a895aaeab16add184b06afb7bc024c23b5094f3c77a4f1bc938d4b7d753e39aa6e1fcf0985af1418a8a6a39504649a

Download Submit
C:\Windows\SysWOW64\Oekjjl32.exe

Filesize
74KB

MD5
019552e5c45f771d80250c50f0be4702

SHA1
7ae3c7e9ff6fc35e1805f5238bc0b9f32cf44b5f

SHA256
a35f6e7dea3eb027c95d4926a3723f615b8480ffb4b1f2043bac1ef82da2b345

SHA512
7786247ab59446572ef9e634ab840fac890109629ac957d2ed8ba4c703bbb775ae1d05cabfdd804374197bddc239e0ac43ab9269618bfffb2e18ea2aaeff02cf

Download Submit
C:\Windows\SysWOW64\Ofhjopbg.exe

Filesize
74KB

MD5
f10c856e092eeb21670bc82ed389c4f6

SHA1
2bcfad620659437a2c6279f3d5b5517319d3569e

SHA256
eb0b3f7dec6bd9c5fec3f83773ac4e0268bacecd90b119066a083917b817da68

SHA512
3a29548366a41d73425fe9303dd3011e3ca712c690f3d03ef5ee7fa054699323437c3f87a6c2b3009166f77b6128caf395bec083654edbc59678920df2e038af

Download Submit
C:\Windows\SysWOW64\Ojomdoof.exe

Filesize
74KB

MD5
78873dbb4e1921f6b8363f02a2612007

SHA1
4bd86d1bf45bb284ba65245ae96d3cb96d10e5c9

SHA256
a2dcee1fc23845940db5af5c835d0bfeab5503a09a9de4cbf35f11c9c7fce83f

SHA512
30a8990b8ff1a93343e4f296a51c08a93bbf111fa69bb3e43f6800a6656041b8a1ba1ac9ce283d3b1a43818bd6737834211717948b477ec809554cc42eb9fb3b

Download Submit
C:\Windows\SysWOW64\Ompefj32.exe

Filesize
74KB

MD5
cc9ac38961ef45edcc8f5dd22c8816c0

SHA1
ba7ee017dc361a9fd43197e097676291a221717b

SHA256
f481bb217f03fe7875122867d091bee1f638ab4fc9531f6395164683caea2ab3

SHA512
854a4b5a727c4341a5cef412e66872d3a2190c428b998556e865ca3fe4b687deaea8c3eb90421476925f739722b0a57e48a658d672e190114fa8714ce43be82c

Download Submit
C:\Windows\SysWOW64\Oplelf32.exe

Filesize
74KB

MD5
3b7deaa6edbbd354f6728c07a05c4c69

SHA1
884b4d0fcfb2e4a0374891ef8a2b779ff890e349

SHA256
3565fbaf8aa3298d188bc958f97c5ff734189afdaa256ad31d6e7d02ab066e02

SHA512
bf5196b60cd5c1afc0559f0af688541fd6e5aba184f371a8bbba58b5c0343f2ab41f28930561fdac2b090eacbb79653eebcfcd639a99f8adefb40bdec2621343

Download Submit
C:\Windows\SysWOW64\Opqoge32.exe

Filesize
74KB

MD5
68aedc4a041e533a12919b2373f2d3d2

SHA1
5f282190e0c5f52b2ad04e8eb867294e09a1fe5c

SHA256
574a17a5e55038c050e1751b9a7b6a582c1411850be1e8f4435feb93e2bc9655

SHA512
82477e524e4c0b65a56acc384ba793313faef46b77eedcd5ea1393dc17a384ebde8cb5ee186fb14cb868aa6c4b3aeb871b6aba3120a92fd0ba3296e28a197611

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
74KB

MD5
ea789596bfae1a42def638ae7e814d79

SHA1
151ccfc127e004d4158604361f6890c935b9465d

SHA256
064790be8b193c4af1eb320b8d61d84c28ffc32a0627ea321ce3011ea2da13f4

SHA512
0567632030bd9ddbf4eff5e1b2c5b39bf0499e866c6d408ab89210cddca1b09397c7301dfa50285ee548e67b31191cfb1d694b4b2bc4e5158109a8c7cafb09cc

Download Submit
C:\Windows\SysWOW64\Piicpk32.exe

Filesize
74KB

MD5
7e0f79de24bdbd7318649525b1be3413

SHA1
0ff8335992707314e61b390f7828806206d9ac9c

SHA256
19e4217360d9fa1ecf57f531352cc3c4bec53be9c265fec70cdbc945919c829e

SHA512
b395185c2b0ba2ac15f658dea891f82aebe7bd28da504571fd337ec13c2ed9c5adf6b7cd55df6be53ebd165b63a684c1a3da9fa960645a607bc9e748ad174e24

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
74KB

MD5
9e315238086d881090cb8dde4e72f186

SHA1
1aa74ac53942025d89137ea5af30a7a8eb0305f5

SHA256
4e18358b8ebc7033c41c12ca938940e1f42b454470071377b86ca150622fd98b

SHA512
74a9ec38a90db3e2666d08c827682a29265fbf9c84e85c06cc728c5d9d76c781d61583330876764550644f6c162acc6b233bc7151c18fbe0459a223a4811f554

Download Submit
C:\Windows\SysWOW64\Pkjphcff.exe

Filesize
74KB

MD5
dbb683508d14b6b4e6d793e086dc4650

SHA1
c01aef9ea6a8c66897bab7b2b7db6e6cb5d1afc9

SHA256
d21ce3367cfaef51a2c79c4322acd22c97be85f4c14370afa7377d6eee347ab8

SHA512
e2c10a6970aa6b9eb9fb8c54c0fb17d9793a3340a296e5dc367245fb75377a331261f27f8f46550d962fce6552e698d2ba5c8cb61f83ebc8525ac004fbaabc20

Download Submit
C:\Windows\SysWOW64\Pljlbf32.exe

Filesize
74KB

MD5
9a390cb74151c94d68a5181d676883f9

SHA1
93b64e2d645529d5e1f1bd4d0459c40ff0708288

SHA256
5df61ad84bb56575158010f3649614d874b28020ecabb429a63de488b639f13c

SHA512
f170a637ba4239d7f7285b8065149959f17f260a489423dcb97309fba3ed8026d9c55677bcfa5c360a3c56d2bae9f447e5f2a2c4a77f719296ccf0a1e4c3890c

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
74KB

MD5
4f4f9b696e466b6bf00c654e99deddf4

SHA1
b5033571503e60a640e28d86cebf9eb28e73aef8

SHA256
7a99111fe7ca88989c93528a1c29eda6b0b55f9e7e06812f3683de28dc87266c

SHA512
7002ea34b27289d24961ca3f395226b770bcff0b11070088f56360108e27e7ce4e5e1ce90f8dbf2811db64d2ff6f87f9930841f0f125c9755288e48311fededb

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
74KB

MD5
c6f0b2da75ef175e9fddeac0b4df4a28

SHA1
bc142617848a49a1857eb9abeec6c2f43a9f7e2d

SHA256
ea01e9f605ecc3cb3b722cc1f801baec23e460c2d63a00a6a002c371c6e20003

SHA512
4d7849ff7db9a748eb8266bc4e62f6d185bd82bcb7ed7b18af917d823b7f6aaf7f997d3f9970951e913bdbb14dd8a5fed8fcdc6bf64ac91c4a1a277a00ddb2c2

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
74KB

MD5
09b938b96bda4923158bbad4b63abd07

SHA1
9705fe58837de37f337790c55cc72e3e5754f990

SHA256
f517d12ce2a73929d7d20b5b2aabbf87b214d8b02baf68afb49e08469310afa9

SHA512
368ced124fa16ffbbc77a7f84c1a0ed389e8987b2565b29baa9ed80db7da73598e9ae770eb8efd9af536dd5ccbd30723e937943fc68087df8393650b8ab50da5

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
74KB

MD5
5c47b539a6c59ae372281a72813efcca

SHA1
8d1bd4de449bdde4ee6a6585f1e9c4ea97de22b9

SHA256
588f34b52cf33c42d07b5f97ffb6cb3bc25998cc9feaa76e5af8eb556063ccf0

SHA512
4c37b87e1a96b803a44b51dfc338032d92762d5ad0d3452542c27df4a4b8eb30fdc729ceb848f3f3da6a51905853cb0b9a8b58e4480edc75fe96592fde2fa81e

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
74KB

MD5
9b0d078fc5e9f1ab43072708ad165d9b

SHA1
0f877e794c91f2b7620ca6da459148878d20f72b

SHA256
9abc5bce121082e9b40e3dcd4281c3c2a18b0fa2a2e430aa9b2263e1a29bbdac

SHA512
0a55cbed9f8a952a7c6a7626d560cb14ec85eea2cc5b3fdbd56ac7317627eda5e02acdc96f505d777c3c9a0f239b83e362ad076ecbbb46f1bbada4fe42f844f8

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
74KB

MD5
acdabef5039c4407fc073eb94447f532

SHA1
03f61b011e206c260ffce0ddcfceac0a3726c809

SHA256
b3585fbafe188e930e2cecabf8f67274f264b7acaa3f87298f9b048c5603598b

SHA512
c9d6f11d6e68554db51ba807f63a9f88713432ee6b564fcf3a77c8c0deea2f39d20811ac9bc6d0e34e536c70553976f49ca1ccd7b93a18c05c5b8e2c7951115e

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
74KB

MD5
3fbe56f0a272b69c47d56a304eae9a71

SHA1
d67fcc3950f69498d26ace3521e16b577753d166

SHA256
257a4b3e82cddc2cbad600ca961a79a91c03b8ac58ae9fb24c5d94f77a48963c

SHA512
fba726e70a6db4ceba48f1b98d87f0dcec619ff688ce2438d7efc6a1f4fcc27536eb2df5b16ba05460cc95c0b69fccb98cea4e3427825e5f93a2149db53b944a

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
74KB

MD5
15ee6b338b356c1eab3d6e219daeebcc

SHA1
2df62576ab27e2239bc15687db15f42085b2b556

SHA256
8eaf8864fde887748e37687976212c7b3fa91b0080666a1b20b9dd8577cca1fa

SHA512
1244ac85f4a315e9db865e418936e341833deb1ad577df1f6063191a0e11b6bf9c5a256757115b549f3f5f0c602613148c38b19c3d6c02bb393023b1b5548c78

Download Submit
\Windows\SysWOW64\Mcckcbgp.exe

Filesize
74KB

MD5
22d914cf0806d21fe7c3f4d3d3d616ba

SHA1
d9e1601801635db64fcf2a05dc64aa5d287a645e

SHA256
784292bed2e7e708c2bff0544d6b5fc96f4a15ada0a6ccc6716cfaffb7ea7224

SHA512
cfba3c83ef1f8c96224dc1cb2cc9d23d94edd25b1c58686b29f303b4346916fa93ecaa4db9de4b23792905c63572524cc4a3c08eb25044e1e51c07bcc1da836b

Download Submit
\Windows\SysWOW64\Mcqombic.exe

Filesize
74KB

MD5
693934f3d405d6d8c461224501938273

SHA1
cec3c9f17d29cda1bafbfbd8905160e0e8605e8a

SHA256
461f1b46c9d704c6b1d7f87a95a1f2ae7a7c96780d12e4ba1042b2037b890740

SHA512
b3f562e628b3686c4c46326a38d9d1371ad17616716abf5779506bd86e960db517169a2b2d74233f3d30a6784c235928b2ffb1fc08b71316113c3b786ca3fce6

Download Submit
\Windows\SysWOW64\Mfokinhf.exe

Filesize
74KB

MD5
349597fc91d588bd2f07f4c242700577

SHA1
b99ff95d81f95fb4133d9ee1bb6af99efb33b562

SHA256
70d27d0a9ffe93c57332de0e7f07337664a5f28146c5b10ad65d8c5dce1d737a

SHA512
2f10dbe65b5f57a797d5d9a0882ae36e6227ba87d7a63d2e46844f46b793657015bfba316f73c452509891f9cac3c96a0c113b3e5ca618b32ed72d2d5abd4898

Download Submit
\Windows\SysWOW64\Ndqkleln.exe

Filesize
74KB

MD5
d51eb24624e96bb15b836d1a88a6a19e

SHA1
6561264f997d316b31075b70184f20a7bdbd25d2

SHA256
853da49a9dc9370d81a74db857fa1bd4358cc0f191c36a84072e7bd1351cad93

SHA512
417a339e04afd8da939347bc75f5deca9973e2c25ba18e1be6fe8e6e71b0b141768dd562f14d1d96202c2514ed73a21518a589340a86fdb260219d949ab5e60f

Download Submit
\Windows\SysWOW64\Neiaeiii.exe

Filesize
74KB

MD5
ef69b80ae30e8c2a8179c59efbd49277

SHA1
d3ddcf9ccf22a19d5af9bcb75e0dcb660e74300a

SHA256
2bb9ec5383863cabb49a3d428ceb8163c2fc129c3845097d87368745baf6a620

SHA512
f525f1284a71cab662fc9aba3a1d948ed7c01250ffeee1d0e13eca7ea68d2fd3263bb84a53c4d97fe13a5dda5a43fc606094c270831af4290707912802648ec1

Download Submit
\Windows\SysWOW64\Neknki32.exe

Filesize
74KB

MD5
e3abfd5a06622f808558faf876f7842b

SHA1
f9449c9e75fe6aee26b1ed7d5e27b1f239870f1f

SHA256
d88bcf19523371d7ac3f6e7c12fbe819b02f393ee954645329c10dc9ad4a64b6

SHA512
ffd2164bbe2b2332f54606cd770719ccf124b95ed4b30ac9c04336567a1ab73affc2b239b6c1e10dbdd2a077ab22ecb8ba8be20e0a8bebe4bbfd49d63d5778f4

Download Submit
\Windows\SysWOW64\Nfdddm32.exe

Filesize
74KB

MD5
95b72f309ad00465efda96a2118bfc07

SHA1
87c1e0fa75f241714534835ce577a58417707afc

SHA256
967ff11abf7c2747c3cc580330307177a6b19b7ececed054d2f37467d4410987

SHA512
d7c1f7fb988f39dd5c334d1e098636d52ab4c2d3972faae106329261cc3d5d51689245b2165904696e136ccd790e9b37e8e09c1b42080394f22e1d1981f7114d

Download Submit
\Windows\SysWOW64\Njhfcp32.exe

Filesize
74KB

MD5
ee649ead8caaa7e8dafd2fe565bd136d

SHA1
fbb4746f7a54f40b7e158ad467cdc5a31ad7caa6

SHA256
892887709adb698d8d24c23d7e313815746e10925c33ffd5d3c5063ed0a9feb9

SHA512
b6a9442f8d760f62e2bcf7345dc6393417fed83ee9f8ee665a078f3a6e1459917e0fb8a70a40fe061f4b55102f9280a93aa129a1b009d533b937904ade04c61f

Download Submit
\Windows\SysWOW64\Nlqmmd32.exe

Filesize
74KB

MD5
59d3633409193133cb97e964a782bd5d

SHA1
a6c43e4226dd7da7a96e8bfe549cd041eb113e4d

SHA256
2351cf5afb0e68d3476ad6e49315a3d5e24904a6e5f48b50116b7dd653cf16bf

SHA512
614843ee522ef51fe803c5bcafa40cbc16c8c003ab0fdf6cbdf17fba605d0eae3129cfef684ccd2ccc69e8d40ec3158250e1a4ec570243f37e5242f91f89d861

Download Submit
\Windows\SysWOW64\Nnafnopi.exe

Filesize
74KB

MD5
57072a83684fd39f7f002e2795acf8b7

SHA1
2cebcd69cbec9ebe99d952d345c9214dfae01603

SHA256
8d2d6a781da19130dbb7ab966ca7d53ecd0856d1eb1bc54c330cdca133d29237

SHA512
bb5f9aaee59df174cfa720336038290eb960a53af77c57bdce07fc9c97b2c41617a1c47eefa56290430583b3b4bad9e703680d3d912038674636ea4f9182aa8c

Download Submit
\Windows\SysWOW64\Oadkej32.exe

Filesize
74KB

MD5
c17372d39c44d95f96ff67991d308260

SHA1
31aca69cdec510109f0acb853fdc6b5cba9a3150

SHA256
14af4ebc0e461632b0f5e9537c8ac2525937b24cb13617af5ba30a990bb72744

SHA512
a4a43693bc00be2415547b3321089ff7a6d29728c123de2ff6517357caad72947e573a21d1954bd66b65b6d555bbaa9bbca59db791378cb3073295a7b70e6756

Download Submit
\Windows\SysWOW64\Ofadnq32.exe

Filesize
74KB

MD5
3c4a2f1166b6e14ff588ca3b7c9dccbe

SHA1
df5a48db35f9b0712930d5289d59c7e25ca8727e

SHA256
84ea8ed157447cd4e40c5673c8b422d5ad096c71317355e7abf8b3fbdc9c203b

SHA512
3cf78de641360dd4f4db3d9a8f9c336ac82d9e6407580df66c7a678bce9003d4651a369ff11c805f2f150c9b83928f93c02a524541be19557df5e6a3acb02d34

Download Submit
memory/596-367-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/596-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/688-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/904-298-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/904-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/904-302-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/996-291-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/996-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/996-290-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/1060-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1060-276-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1060-280-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1064-390-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1088-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1268-430-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1268-423-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1360-213-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1360-223-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1448-476-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-167-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1460-486-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-173-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-335-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1488-13-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1488-12-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1488-333-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1548-510-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1548-519-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1580-313-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1580-322-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1580-323-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1648-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1648-453-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1672-480-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-488-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/1672-487-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/1692-439-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1692-442-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1692-440-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1764-411-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1780-406-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1780-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2044-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2044-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2044-140-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2108-374-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2168-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2168-113-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2168-426-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-499-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-509-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2224-500-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-194-0x00000000002C0000-0x00000000002F7000-memory.dmp

Filesize
220KB

Download
memory/2224-186-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-357-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2360-441-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-336-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2528-498-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/2528-489-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2556-388-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/2556-379-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-334-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2628-324-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2648-343-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2648-337-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2672-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-378-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-65-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2708-399-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2708-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2708-87-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2724-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2724-146-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2920-463-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/2920-465-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/2920-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2932-475-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2932-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2944-311-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2944-312-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2952-372-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/2952-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-269-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/3020-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads