berbew | 97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Size

240KB
MD5

eb15068b3476b8d4519aae38f45ae231
SHA1

83fe9664a301b980a27fc8202b805615546ed949
SHA256

97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb
SHA512

21462a3613279b5f0bafa5131e2bf78fe837698608daec77ef6c28b8c4e5c38b025d90b8a65f0017bdd9daa2bd9695eab9d1497304f03aed8ab4930513b9e033
SSDEEP

6144:oozd8iUmCunmGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:lzdhCumGyXu1jGG1wsGeBgRTGA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obokcqhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opglafab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nameek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmlcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhknaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklcadfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loefnpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnmpdlac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmlcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nipdkieg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcqcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjfnomde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojomdoof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2544	Lhknaf32.exe
2932	Loefnpnn.exe
2788	Lqipkhbj.exe
2792	Mnmpdlac.exe
2672	Mnomjl32.exe
2884	Mjfnomde.exe
2716	Mgjnhaco.exe
1708	Mpebmc32.exe
2036	Mklcadfn.exe
2972	Nipdkieg.exe
2740	Nnmlcp32.exe
1956	Nameek32.exe
1828	Nnafnopi.exe
1164	Nlefhcnc.exe
1060	Nhlgmd32.exe
1224	Opglafab.exe
1012	Omklkkpl.exe
792	Ofcqcp32.exe
1788	Ojomdoof.exe
2216	Objaha32.exe
1808	Olbfagca.exe
2108	Oiffkkbk.exe
568	Obokcqhk.exe
2368	Phlclgfc.exe
1228	Pkjphcff.exe
2336	Pmkhjncg.exe
2160	Pebpkk32.exe
2832	Pojecajj.exe
2892	Pdgmlhha.exe
2664	Ppnnai32.exe
2816	Pdjjag32.exe
2472	Qgjccb32.exe
2280	Qiioon32.exe
2968	Qjklenpa.exe
2956	Alihaioe.exe
2728	Allefimb.exe
1980	Aaimopli.exe
2288	Afffenbp.exe
2364	Ahebaiac.exe
952	Anbkipok.exe
1156	Adlcfjgh.exe
1820	Abpcooea.exe
2228	Adnpkjde.exe
1436	Bbbpenco.exe
2124	Bdqlajbb.exe
972	Bccmmf32.exe
2260	Bkjdndjo.exe
2388	Bqgmfkhg.exe
1584	Bceibfgj.exe
1940	Bqijljfd.exe
2748	Boljgg32.exe
2760	Bjbndpmd.exe
2632	Bmpkqklh.exe
2668	Bbmcibjp.exe
2692	Bjdkjpkb.exe
3056	Ccmpce32.exe
2896	Cbppnbhm.exe
1324	Cenljmgq.exe
1996	Ckhdggom.exe
2328	Cfmhdpnc.exe
1048	Cileqlmg.exe
1372	Cnimiblo.exe
868	Cebeem32.exe
2568	Cgaaah32.exe

Loads dropped DLL 64 IoCs

pid	Process
752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
2544	Lhknaf32.exe
2544	Lhknaf32.exe
2932	Loefnpnn.exe
2932	Loefnpnn.exe
2788	Lqipkhbj.exe
2788	Lqipkhbj.exe
2792	Mnmpdlac.exe
2792	Mnmpdlac.exe
2672	Mnomjl32.exe
2672	Mnomjl32.exe
2884	Mjfnomde.exe
2884	Mjfnomde.exe
2716	Mgjnhaco.exe
2716	Mgjnhaco.exe
1708	Mpebmc32.exe
1708	Mpebmc32.exe
2036	Mklcadfn.exe
2036	Mklcadfn.exe
2972	Nipdkieg.exe
2972	Nipdkieg.exe
2740	Nnmlcp32.exe
2740	Nnmlcp32.exe
1956	Nameek32.exe
1956	Nameek32.exe
1828	Nnafnopi.exe
1828	Nnafnopi.exe
1164	Nlefhcnc.exe
1164	Nlefhcnc.exe
1060	Nhlgmd32.exe
1060	Nhlgmd32.exe
1224	Opglafab.exe
1224	Opglafab.exe
1012	Omklkkpl.exe
1012	Omklkkpl.exe
792	Ofcqcp32.exe
792	Ofcqcp32.exe
1788	Ojomdoof.exe
1788	Ojomdoof.exe
2216	Objaha32.exe
2216	Objaha32.exe
1808	Olbfagca.exe
1808	Olbfagca.exe
2108	Oiffkkbk.exe
2108	Oiffkkbk.exe
568	Obokcqhk.exe
568	Obokcqhk.exe
2368	Phlclgfc.exe
2368	Phlclgfc.exe
1228	Pkjphcff.exe
1228	Pkjphcff.exe
2336	Pmkhjncg.exe
2336	Pmkhjncg.exe
2160	Pebpkk32.exe
2160	Pebpkk32.exe
2832	Pojecajj.exe
2832	Pojecajj.exe
2892	Pdgmlhha.exe
2892	Pdgmlhha.exe
2664	Ppnnai32.exe
2664	Ppnnai32.exe
2816	Pdjjag32.exe
2816	Pdjjag32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Fljiqocb.dll	Mpebmc32.exe
File created	C:\Windows\SysWOW64\Nnafnopi.exe	Nameek32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Mpebmc32.exe	Mgjnhaco.exe
File created	C:\Windows\SysWOW64\Adqaqk32.dll	Nnmlcp32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Iheegf32.dll	Lqipkhbj.exe
File created	C:\Windows\SysWOW64\Qqmfpqmc.dll	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qjklenpa.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ifhckf32.dll	Mnmpdlac.exe
File created	C:\Windows\SysWOW64\Omklkkpl.exe	Opglafab.exe
File opened for modification	C:\Windows\SysWOW64\Mnmpdlac.exe	Lqipkhbj.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Lqipkhbj.exe	Loefnpnn.exe
File created	C:\Windows\SysWOW64\Mjfnomde.exe	Mnomjl32.exe
File created	C:\Windows\SysWOW64\Qlfgce32.dll	Mklcadfn.exe
File opened for modification	C:\Windows\SysWOW64\Nnafnopi.exe	Nameek32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomdoof.exe	Ofcqcp32.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	Obokcqhk.exe
File opened for modification	C:\Windows\SysWOW64\Lqipkhbj.exe	Loefnpnn.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bhapci32.dll	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mklcadfn.exe	Mpebmc32.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Gnfnae32.dll	Mgjnhaco.exe
File opened for modification	C:\Windows\SysWOW64\Mgjnhaco.exe	Mjfnomde.exe
File created	C:\Windows\SysWOW64\Hfiocpon.dll	Nhlgmd32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjfnomde.exe	Mnomjl32.exe
File created	C:\Windows\SysWOW64\Nhlgmd32.exe	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Mgjnhaco.exe	Mjfnomde.exe
File opened for modification	C:\Windows\SysWOW64\Nlefhcnc.exe	Nnafnopi.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Nhlgmd32.exe	Nlefhcnc.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2008	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafnopi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqipkhbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nipdkieg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnmlcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklcadfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nameek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhknaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcqcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjfnomde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olbfagca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjphcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loefnpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnomjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll"	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqipkhbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obokcqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loefnpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjfnomde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll"	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjfnomde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll"	Mklcadfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcqcp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2544	752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe	31
PID 752 wrote to memory of 2544	752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe	31
PID 752 wrote to memory of 2544	752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe	31
PID 752 wrote to memory of 2544	752	97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe	31
PID 2544 wrote to memory of 2932	2544	Lhknaf32.exe	32
PID 2544 wrote to memory of 2932	2544	Lhknaf32.exe	32
PID 2544 wrote to memory of 2932	2544	Lhknaf32.exe	32
PID 2544 wrote to memory of 2932	2544	Lhknaf32.exe	32
PID 2932 wrote to memory of 2788	2932	Loefnpnn.exe	33
PID 2932 wrote to memory of 2788	2932	Loefnpnn.exe	33
PID 2932 wrote to memory of 2788	2932	Loefnpnn.exe	33
PID 2932 wrote to memory of 2788	2932	Loefnpnn.exe	33
PID 2788 wrote to memory of 2792	2788	Lqipkhbj.exe	34
PID 2788 wrote to memory of 2792	2788	Lqipkhbj.exe	34
PID 2788 wrote to memory of 2792	2788	Lqipkhbj.exe	34
PID 2788 wrote to memory of 2792	2788	Lqipkhbj.exe	34
PID 2792 wrote to memory of 2672	2792	Mnmpdlac.exe	35
PID 2792 wrote to memory of 2672	2792	Mnmpdlac.exe	35
PID 2792 wrote to memory of 2672	2792	Mnmpdlac.exe	35
PID 2792 wrote to memory of 2672	2792	Mnmpdlac.exe	35
PID 2672 wrote to memory of 2884	2672	Mnomjl32.exe	36
PID 2672 wrote to memory of 2884	2672	Mnomjl32.exe	36
PID 2672 wrote to memory of 2884	2672	Mnomjl32.exe	36
PID 2672 wrote to memory of 2884	2672	Mnomjl32.exe	36
PID 2884 wrote to memory of 2716	2884	Mjfnomde.exe	37
PID 2884 wrote to memory of 2716	2884	Mjfnomde.exe	37
PID 2884 wrote to memory of 2716	2884	Mjfnomde.exe	37
PID 2884 wrote to memory of 2716	2884	Mjfnomde.exe	37
PID 2716 wrote to memory of 1708	2716	Mgjnhaco.exe	38
PID 2716 wrote to memory of 1708	2716	Mgjnhaco.exe	38
PID 2716 wrote to memory of 1708	2716	Mgjnhaco.exe	38
PID 2716 wrote to memory of 1708	2716	Mgjnhaco.exe	38
PID 1708 wrote to memory of 2036	1708	Mpebmc32.exe	39
PID 1708 wrote to memory of 2036	1708	Mpebmc32.exe	39
PID 1708 wrote to memory of 2036	1708	Mpebmc32.exe	39
PID 1708 wrote to memory of 2036	1708	Mpebmc32.exe	39
PID 2036 wrote to memory of 2972	2036	Mklcadfn.exe	40
PID 2036 wrote to memory of 2972	2036	Mklcadfn.exe	40
PID 2036 wrote to memory of 2972	2036	Mklcadfn.exe	40
PID 2036 wrote to memory of 2972	2036	Mklcadfn.exe	40
PID 2972 wrote to memory of 2740	2972	Nipdkieg.exe	41
PID 2972 wrote to memory of 2740	2972	Nipdkieg.exe	41
PID 2972 wrote to memory of 2740	2972	Nipdkieg.exe	41
PID 2972 wrote to memory of 2740	2972	Nipdkieg.exe	41
PID 2740 wrote to memory of 1956	2740	Nnmlcp32.exe	42
PID 2740 wrote to memory of 1956	2740	Nnmlcp32.exe	42
PID 2740 wrote to memory of 1956	2740	Nnmlcp32.exe	42
PID 2740 wrote to memory of 1956	2740	Nnmlcp32.exe	42
PID 1956 wrote to memory of 1828	1956	Nameek32.exe	43
PID 1956 wrote to memory of 1828	1956	Nameek32.exe	43
PID 1956 wrote to memory of 1828	1956	Nameek32.exe	43
PID 1956 wrote to memory of 1828	1956	Nameek32.exe	43
PID 1828 wrote to memory of 1164	1828	Nnafnopi.exe	44
PID 1828 wrote to memory of 1164	1828	Nnafnopi.exe	44
PID 1828 wrote to memory of 1164	1828	Nnafnopi.exe	44
PID 1828 wrote to memory of 1164	1828	Nnafnopi.exe	44
PID 1164 wrote to memory of 1060	1164	Nlefhcnc.exe	45
PID 1164 wrote to memory of 1060	1164	Nlefhcnc.exe	45
PID 1164 wrote to memory of 1060	1164	Nlefhcnc.exe	45
PID 1164 wrote to memory of 1060	1164	Nlefhcnc.exe	45
PID 1060 wrote to memory of 1224	1060	Nhlgmd32.exe	46
PID 1060 wrote to memory of 1224	1060	Nhlgmd32.exe	46
PID 1060 wrote to memory of 1224	1060	Nhlgmd32.exe	46
PID 1060 wrote to memory of 1224	1060	Nhlgmd32.exe	46

C:\Users\Admin\AppData\Local\Temp\97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe
"C:\Users\Admin\AppData\Local\Temp\97e3712b8345db0f584850e976007041ad53c13c1384fa0bce2da3bc7c8eb0cb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\Lhknaf32.exe
  C:\Windows\system32\Lhknaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\Loefnpnn.exe
    C:\Windows\system32\Loefnpnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\Lqipkhbj.exe
      C:\Windows\system32\Lqipkhbj.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Mnmpdlac.exe
        
        C:\Windows\system32\Mnmpdlac.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Mnomjl32.exe
        
        C:\Windows\system32\Mnomjl32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Mjfnomde.exe
        
        C:\Windows\system32\Mjfnomde.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mgjnhaco.exe
        
        C:\Windows\system32\Mgjnhaco.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mpebmc32.exe
        
        C:\Windows\system32\Mpebmc32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mklcadfn.exe
        
        C:\Windows\system32\Mklcadfn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Nipdkieg.exe
        
        C:\Windows\system32\Nipdkieg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Nnmlcp32.exe
        
        C:\Windows\system32\Nnmlcp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Nameek32.exe
        
        C:\Windows\system32\Nameek32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Nnafnopi.exe
        
        C:\Windows\system32\Nnafnopi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Nlefhcnc.exe
        
        C:\Windows\system32\Nlefhcnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Nhlgmd32.exe
        
        C:\Windows\system32\Nhlgmd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1012
        
        C:\Windows\SysWOW64\Ofcqcp32.exe
        
        C:\Windows\system32\Ofcqcp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Objaha32.exe
        
        C:\Windows\system32\Objaha32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Olbfagca.exe
        
        C:\Windows\system32\Olbfagca.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Oiffkkbk.exe
        
        C:\Windows\system32\Oiffkkbk.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Obokcqhk.exe
        
        C:\Windows\system32\Obokcqhk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Phlclgfc.exe
        
        C:\Windows\system32\Phlclgfc.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Pkjphcff.exe
        
        C:\Windows\system32\Pkjphcff.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 144
        75⤵
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
240KB

MD5
2f861b564f9b0b4cf3cbfd35d57734ae

SHA1
63e72ccba5d7fd0e49611d3fc12c603578646085

SHA256
f0de7ef630123032fdf76ba8b67f4389b68535bf8bf4f0bf945da2416ddda2e1

SHA512
b5bdfce3206c58d70278ae73abdf6a255e1bf42b58a9fb144b843a6443310b6cbf5e984e6dcea2499cbaef5b562bfad288a35214b66f880904c50d5f562a6a9b

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
240KB

MD5
be24fedfbec39866112c873ebb4c55e6

SHA1
3c716603485fce81045b03f379d71bba9b19ae51

SHA256
d2f388e0c0e7d7f338a427354a867bf69d5d6131288158ef23fee02a4bd988ff

SHA512
daceb23a751613fcb22fa3ac3afca6163a0f1cb68158a8b89d535277dedd43285c5328d8196dad0ebbeb9dc7d0d277b1834e04e4050ab7088d1b7a21d1996990

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
240KB

MD5
6704955e298a7939a1025f4473216ba9

SHA1
45b82915c462a6a89043ee15244415ef4e7e2303

SHA256
417f260861b22df84962524f6b3ecf1d060730f00ece05fe8f5bb431cfde0c67

SHA512
c1143931f51ce99c9f60b7fc2767464fed3ef4f8c65bb782f80160abe42823f63fcd074245895caf48a003345a35f262193a084817dce511726055cf7a47d57e

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
240KB

MD5
f1ee5c30d67105e937b842cbf2b6d928

SHA1
74339e53773583f2db819d1c29f09a9ffbb8d170

SHA256
690e2d078c0efdc981d59d4b1add81252ca8b586a8ef3c45fded942b39d86da7

SHA512
6a08753b01df0d4382b4df290f0da66533a1398d202252b20f27236cc06c8e38693de86f29666e83d473f7aff136cc67076c0bbf73c793a7a6354c0ac3b0a5f7

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
240KB

MD5
b982040409339fd051e517ece3bb4e63

SHA1
52a155576918c75ec2e13f30a87a886a32c0bad8

SHA256
ff26dcc4b8f387da52d0d75466d0fcfe69822764ae77e865e775c924ce1b1f75

SHA512
2ae5628731851bc46765b2fbee7c22e0423384ee694a1cb73bbed7656127d1fac075931b8596b2680716d594a5b754f1eb6a07ce91faa0eebfaf7b911fac4b53

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
240KB

MD5
2f212b00fe314205c330e2af243f7bde

SHA1
a7a0659b3d992e73a20b0ac4d92b763c8422c5ed

SHA256
750b02efa1f9c3c981669084960edb09ff9a713b933ee7ffd911538ca7a24f0d

SHA512
895ec68266e927a42a96b04738ae3bfad6a5a30e2888ba949912cf3b733cb018155f305f5eab4c4670223cde678fa5d686fdbbd0a07d08530eb6733518f8b2af

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
240KB

MD5
575d3eb4de26715366d3e802ab6d8ead

SHA1
da2df19fb1babc8b3c293ec36d46521de5bd9c75

SHA256
1ba87ed928e2e7bf402c9aaf42824bdd8d8f79a785011b2b7a4b6a6e37d099c6

SHA512
d2415855aa6f547f5004c01e6c3e3d8c7818bc276a28a648081194c97537eff79702dadc6f0449c5e0a418f768324c5c5e7e139f62d65f396c82fb2c6ee982db

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
240KB

MD5
e6333b8ad598f5386dd567c67f1bcf81

SHA1
189d67f47691e4d41c52b8f58b592556b3b9027b

SHA256
b1f478b7269d4fe86b2f8be8d6f5b4ee31f447bbcc3595d2725581c7a2e59c88

SHA512
24863dd349bea0295f75a8e63ad28f7ea5da9343f339776db35b7f8882bed29c8fa75bc21905d215521b86af2bc783067eeb810e88465fcc6b9fc65fc85540b0

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
240KB

MD5
615ce96f476e151d84dac2bd01be8c2f

SHA1
6d98558c83e9fec5cd322de071589f4e53241782

SHA256
735a8e9d0ffcfdcc0a55be6877bf03caa1a5df84cc435d4203e4fcd741aa1759

SHA512
c3872383a36f42c13a452fa54d50386f43b3e92dcf278ef7122c6dacb7a6ac612f9f9c98f6b7fb69328de8d7892a68f0bcff109448ecfd6274bd1f9b712d70a2

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
240KB

MD5
8313c4b918e3b0f4e618db907ca64591

SHA1
81c6807f59c7cc30bfe8c3418000c1e61cb989ea

SHA256
3f8e53e7440187508ca929a444abd13cfd6cadc7587556f2d0403a63c7997fa2

SHA512
9bec2b33a577bd1a6c288c5e37765ea1fcdcfa1bcf402665a2c8886a7c9de483fe50f3776f23345ba0262b377c6e5019b4bc5a7d5a4a889dc90e5d0b767b6f8a

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
240KB

MD5
f1b14787817d8fbeaedbb19233b50f29

SHA1
9f47cd9ca7a577cbbf339ff3d52756b2b46a1273

SHA256
3ac6787c70e9303595a1ecfbafe773cba7eaf828af53269edf605cf8e3d4e494

SHA512
091085e4e6e5501fa2aba733170616879752212054378bb873504ad30670ebe912b381e0ce249585661d965d3f267b03da99e7aca132f8a453479564ef6e93c1

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
240KB

MD5
2489330873f606ebd4a5b1698b8f0165

SHA1
27ffef7a111e37c2735fb9ce2780d7dcb31162c0

SHA256
9ca2296ccd3a44f9e5ffedc1f48be7ae7f562125d57f811efc6cc30e19d78310

SHA512
3882ede75d7e29e53c8fc79b2611e3e5400196766f2a61c7cd8114cd8ee8301e0bebfd270265ba46f9471f8911a312d55e8a2a0aae6ae06672ce8f79dd1d5d09

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
240KB

MD5
f69030cd63de5e49a4cdfbc4cb05958d

SHA1
4d761664830280e88ea48eb0c0d1908701a22d8e

SHA256
4cdf1c9efb4cabcce4a2cd66bdc34a0715d8a8c9b81e234013fa82dc9dfa42bf

SHA512
b21e208181aa6130c21d603566784a5e01960064b04f67c2798481cd359d3c0627702b38744cea962b362e8d5f680009db6f6dd30608df8ecfdab69bfb350a7b

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
240KB

MD5
28dbd213a9aa5f77adc60e695b3357de

SHA1
3bc34908d0bfe6a85136a334637cc0be01d1d3e3

SHA256
838749c5b6c5e5cfbbf09ce437138fa758c77f212d6b481ee0d2ab17ff90a9b7

SHA512
f0b571dc446950b67d4d219e73fc364d88d31c7b23cfadcb2796ed15bba0999c7dbb0c56f5ffe934a43a8444f9d0e0fb02790b9d6e7f2b311b91c3bb42fb0ca9

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
240KB

MD5
216bcdb69851fc32100a35848bbb4e0f

SHA1
0a21631b0576965234cd861843868a65c4d55b10

SHA256
c89fc3294b99ebdfb520f092877f076920aff7a424e5af2bd0aae44a5847cbf1

SHA512
ffde94004971e8d5b0c23379899da40b0fe32ef06d5fe115f507d7f9e255194b409104ff55648ae65d89350c2eac55ea56b1706dc4bd5e1dd264a33e53e60eae

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
240KB

MD5
8ec6ca1c4fbf6aca76a2a5a44a6a69a1

SHA1
98630108cea3895edacb148519dd97c2bb56d3d5

SHA256
62fd004e769d4b32e39f877599cbb8222091283d929a005d805fb9a8859c7414

SHA512
9dbff7d67b38c04f66564a655488f95e8dceec1866de7ec9bb442e729b51aa6e377449141571f89c9b81d97a6a4d870844cae4b3dccc67dad86fb11867b190db

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
240KB

MD5
ca21fa23021f312eb1001b9b41faba21

SHA1
6ae013200e2dad8c585ea8d50ee4fb470d737255

SHA256
d29892034e660e03140f868732d9860317677d8e77d198ff2f2affb5fa19caf1

SHA512
6ab4464078a0eb7c16aec744789099ad14c3b81b0728b1cabbe46493b4681a44ed829811c59871580d6e43de717909b9c4df7999fe750e1c447e7e148bab4eac

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
240KB

MD5
cd39f0a5af800cf7076b72e1b7473316

SHA1
a5e15c9fc4635be072f3cac192acff1ec6636e1d

SHA256
cacc5e25fc0cc561d3ae0e40c49db8ebc67552c474f354ef7ba6b39e2a6a5564

SHA512
5c3ccd858ff6b7323050ab083ea115baa197ec64dd41c824beb9dd0648f25e3ba41eee5f2d9e0574a0b2e5fed835149ff4f837a1195296dd2002ac4fb5983d87

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
240KB

MD5
4213bcd1a637a58161262404815a2bd0

SHA1
e7dcef04dea967c0eca6a3b1566ebfcc896068de

SHA256
9eb2c51fdf291cbe642577f411b131a49504c252d106463f3b3afe2d905740c4

SHA512
09cc251e4ca9e7f9e9a483dc4de44e8e6da70fb8da9445286bc5a4d4a596836df5b5f1e948b375fe69a498da7dd16786ad6bafdd4c75157a53bcada6d21194c5

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
240KB

MD5
b5cc9d2cdb18ea6aa17836064383cbb6

SHA1
96fa792fd655dd9b1e28e03c24690742d5f45bd3

SHA256
dae1a3c9ef6782dc007a6b5c4eae71755000e5f70a2f930b31a8fa225a29fc13

SHA512
c99185cf714da9d727ae28ec0e532807384008c5bb10e1d49d6553d5115baf712202e3a4fcfc025b4a19e7f75245351cbfd846d5a63d43724a8fe150aabf3ac6

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
240KB

MD5
39f14f7f3f25a7c8578ca7c2c63861f3

SHA1
928d2a9eff00e4b857df6b69eb83a818c53a2cde

SHA256
e710734d85134d7ab64d56980a87b31c2eec428f574bce620c9fda9b48162294

SHA512
0505f670860af89383a02c2afdad19f41c26085a5f5794de6815363727a8af377a0efbcb08d46870168aad53bfb70c4dbed6af8be5b9d454aa37ab5cdfcc77c9

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
240KB

MD5
6471edd520ffe09a5ed80d60ab4118e5

SHA1
1dcb470cab7bb738c51a726d0ff6776f910f4b82

SHA256
31260c41fefd830f07312dbb422395a9b141bf28301bac3202d624170dbb8c95

SHA512
e18f7473b6214ecdf731256ae81999c81ccd170f79b39c5b8d5a910ca19401ead556624cd9edfc905d75efa99cb9470a180c6602080e80f7ada41b9d2f0cd9b3

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
240KB

MD5
f9a41bfc350a67e7ec2b27546f86c371

SHA1
89eea81b38261a6236e326fadc39be07ac4e51d1

SHA256
5f24f1b10efca1419b3ac48bb46811eb8e1058ea6881cb440b2486973500a2cd

SHA512
0255bdd43a421649837280a5452903700fcea32d03c981987a265183be0a27011ce0fbb21afe53f55821f34020200e63b40475ab7c2ae126c138416659ccd9b1

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
240KB

MD5
fb353280717a4aa78225ec075ef770fc

SHA1
84d95f394c192fc9a1f96e559ddaa3eece851b9c

SHA256
676ac7c58b07ff328fa57e2993e20cc4c9d411a70b9a3f18b3cd513a3fad86a2

SHA512
4a94239b5c7b13b1a5606e42e7ce6273965802f212a7f0af8285ed1a06f2c37a0917592506e3577e88c0b26eea8c73f12872807cad07b7607407e452069e18a2

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
240KB

MD5
22ad184359aeabfcb7f52e2125e61211

SHA1
e1524f4e8a70c3260af606df1333d56cfe4f6be6

SHA256
4c6dec5d7a3308538ac651b0f48d91e2aa434f6a5a3c8a3d5c80c8b51a1bfe30

SHA512
90db2b670ccb06c75690dc56b02d80ac8b3daa40a6315ac53328ceebc858f1ca15ff551e883b9647f6314c9157874d39b55f8c344396f9ee72845c3b3505fcec

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
240KB

MD5
479bb09f09c6cc7516e995b004f583d2

SHA1
284b91a742cbe26234130f8a473733a0f17b3121

SHA256
e81718634926ff55556ef1fd120938449161a5f9d8edcc4656c27fd77e99b0dd

SHA512
01558b260dfbef290213349217aeb6c01566507736f59d50b59a8f9dde1688c5cb1b66438e23b42eb38969508a8c5ed78b52efcb64f6e1ed29dde045ef2a22f5

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
240KB

MD5
3fa32ec03ca693baa2dfd029a384d3d6

SHA1
88bdcfacfbc85ed06484ea295aab688700c5788b

SHA256
4392f4fcdbc86efead5bd600b7e914d38d5457d325b470ad60b804146bb80e22

SHA512
d1615b22a554393e0502d346ab5e5cc01aaabc7862dbc32e21581f25e5079f257f0f65ba4070c328f41d095198b1be4aed53c92b5e5b06c56d215d85338f9d14

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
240KB

MD5
12750462d8571b2d9ede4b0ee4ab5a58

SHA1
99cfed175a2adbcb1f0730fee9b8934b6aaf687e

SHA256
57c8a6248c9fd8a817d73e40ff977b4b151cf059cbb6c6322cba986dfcf1dc74

SHA512
31db3a80e67c56ed612ae70d22d8f7c1c9183e86294c7469b1d7a691d60a0e2e34bc4ab6d72f1a86de939faa476347a5f3836b3621ed3e77e880c05c6cf8947e

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
240KB

MD5
b0e089172f396c1818f00c5e95d2dd94

SHA1
ec970041bdb6bd25cdca25180bcb32f7af61a10a

SHA256
368ca0752aad59475eb8a8d1a876cf72dee263801e25f435ce3c94742667f4ec

SHA512
5fc3cb1bb9465b4722455a116525a35ae3f9875aec8e58dc3872c9a7b1de20446042e1a116a2da4982a707683c0706aede8c606f345b93f3b0ab7758ab30b17f

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
240KB

MD5
0a892df290d64709a93c4d3a8aaa19a4

SHA1
fc8b8aa2e29089a708006f7de0f7cf321e6ff4ad

SHA256
2113deec8e2b36e914b36c49c31487ab96ecc2f9b1435ed9b9660a711b85c2e2

SHA512
f3d031d8400209f70fb4e528261abf58ff45f6afe5bf58a1871299c60cf6789d585dcdd9803f47e3942fc0c05ebf22796cbbe6ca94222e9ab36e6ba88ea4e587

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
240KB

MD5
279751b67233223865666643bd17130e

SHA1
2e1d9783261ba3be4b1cd01824e69dd1312b7af5

SHA256
448a6aaffe71e4cd89bc0a4fcc66787a4a6ce359ca88db5d7b24fd4b09b76485

SHA512
91b7860e8fbbc295e429b980736efaa25e33c80d55ee363cf778cc8381ee100739200b7e437e50dbadab4cb24fe9b758078a83ec24efc1ee64ab97790ff832d0

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
240KB

MD5
4789f0008e7829b2213d0745c2720290

SHA1
88bcd8a8411eb0df548bb59ab4fef9660223a1f0

SHA256
3040767175041e0ccbf399d3421a3408760bae62d35caa0758a4ebb402607b0a

SHA512
e492b999ad8823436e6433ea4970c46c46641ae5ed698fd6d09d57e0096a53ad1a8784441bc7e375d1f759001d40cf1f012e5f593b425e5000c9d882851b1d71

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
240KB

MD5
5afdf1cdd6b7b29a0dad4828d411ff7e

SHA1
1e6c5f03b8111dff1456f84943c8437be7ccaba4

SHA256
a37bc683f3ee29dcd2d927236d474e7074dbf0c6d37b037b90c7122c2f2c2ed3

SHA512
9d6128b45afc293383db02b8ae119ce1b89154e8bafd6f392458d2e424fa9833f81da09bd61e3e33caeba1517733cee1da27b7d73809b719cda8a7d1097c1713

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
240KB

MD5
e172d7cc3f0f6dc9649b75fa38d91fa4

SHA1
9f7f546033fe0806fdd091b3ad1ba80ffc3b4f1c

SHA256
5b7a73aafd8cac65f2a295ff5487e4bf7e0b1cf8531f18dff68d74b15489c35e

SHA512
f675a8a2dc835333f75629e3d6cf8207a6a0b729b70d80c6fbd18f60387f079c86ee07dcf62083c921515cb8942953b17a782389469f4e89b079013dced0033f

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
240KB

MD5
96a2e28f7f542fe4527c0fe1b3abefc7

SHA1
b79d5fefd0a36761c57fd897e78e0f19421dc8d2

SHA256
ae0443d6ef6f7c80adaf4c9751ba66d0f71e5f9578f6b968a73531de827dfd7e

SHA512
2783ee92be4c0eb9d9e9f48bee99843301db348f99d75d36a813196178fc86bc604f9c1b0c97c206c54947254112af859f7b708504c3f6845fbcd180b25146ec

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
240KB

MD5
adf1726061646be784141dd83fa4766c

SHA1
adfa30e8b5f0ec22694aa7d902e31daf95b6e378

SHA256
f1a1ee646d982bfb3c4167c84f9c63fb52606c4abbbda4f42ee92e84dd565d9c

SHA512
e7615a10940f3fa7484fc69f1980dbdce39a73fac3d143459e5a5c6c302653f08e732e9d94b14fc682e9132f8e6ab0701f2e885931c822346645072bb8cb116d

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
240KB

MD5
63e3fcf7ee59277e72a81f0837d92981

SHA1
b505a6a6b5d2702636f7ba05717705d70c052162

SHA256
cd737b0832232a3b56d3928d866ffe9b1d8c9ddda118004098242246bb4edd40

SHA512
49badeb13aef3b09d7f931666487d3d80aaa882dd8ffca6eac59da851deaa4416fa3fa83a630da001a017f4222fed747372bf799640f466f938cfe12e5f2afb9

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
240KB

MD5
effcfe37d318ca53c6ce1c7bc7062f70

SHA1
ca337573c29511fd1b08651b234559da7ba1e640

SHA256
054f6bb4e0c06cc8da36b8c7fde41547e66bbe811d26753b8c1aefb66f251b92

SHA512
80d4f7dd38ffddc4a92c0ecc4341dfcbe93883b0153073720cc4e4e27dcb251f1ea2df143eda158701321aed11d1fd3cac3a4dfa500004c871ab15a00e8bfe90

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
240KB

MD5
f10457b9b4f3850b21d0438b9c5030a2

SHA1
44f4c6afb6507ccdd09cd943012fbe08535b378d

SHA256
6c70acd7547e2d24021cb6de32e12adb6e761c918fa1ed517d25bd09d7992475

SHA512
33fb825d32d88631b202dfa8a1773a16a9668c32bfc06d5034fc07a3126a096c5f14bc367c69871d8a36af1405d4689f0ff428112f4860dea988c74e303d6816

Download Submit
C:\Windows\SysWOW64\Ifhckf32.dll

Filesize
7KB

MD5
60048038a461420c8a50d52130c60b78

SHA1
b8207ae885165dc4c564a89a7823387df71a64c5

SHA256
cf5bfc98f4e3e7fbf25d67aeb19f0c5c8bc668f22c61c36c99eac876bbf5a28f

SHA512
64f9eafacb34bc752e9cdcea4096cded7e54d62549d1f1245f6e0e38c0a01b79e56e485509ab482406813b81220e9a70f4b9e3924e10bd987c1f08a8b5729098

Download Submit
C:\Windows\SysWOW64\Loefnpnn.exe

Filesize
240KB

MD5
44edd9d1e712a2919f0a73e055cd8c28

SHA1
43310fcf172af82a61d6d9acf7f2ab1051ffd5c5

SHA256
ab765f447363f7d2ee955946bc04e24f6683d92b3d59d48325b96e75973b4f4f

SHA512
a2adf2bdcf60888f010f04563e69155e850fc286e8b69eb13e5b098febac5c3a41c89f6ddde5272048904e0b06c801baf1a40b00ca5b9cf6f712db0c9c4311a4

Download Submit
C:\Windows\SysWOW64\Mklcadfn.exe

Filesize
240KB

MD5
e0f7b8afa1ae30831bc8cafe208232ff

SHA1
c075d2a41939ab8cc27145a5303ac9748aaf1e55

SHA256
ea31d9bdeed5da535e32f538c803aa953f81bc7834473864968f7e7f1076899a

SHA512
d19833938c97a8ae20c21d0ed778e148dbf9bee99182d76127cb925c8c9010db66b720a8ce360571b058cd73d665f7b49232ad820ee7a6e53de83cbdb83bbf9f

Download Submit
C:\Windows\SysWOW64\Objaha32.exe

Filesize
240KB

MD5
7b2210dd76092a5376e4d817e2f81337

SHA1
8ab7df974620975ea86f0c8bf8ad5657906a1785

SHA256
f738cc4592e23c2129657aa2af4b894f1796f948c5ddd8d677685c5f7ff37792

SHA512
b0c512ae13c1a9c433f5898e424a3041fddce8110099675845d807021cd6dcb13ec7309916c19f270a1fc8b4f9d5fb026611bf582a5d9cb1aea5a0bcfc8f4da1

Download Submit
C:\Windows\SysWOW64\Obokcqhk.exe

Filesize
240KB

MD5
b11bafa7eec2bc409166d7e8405a053e

SHA1
a56414e9ec9fd43fecdf9603e5dc9af430b4fd3e

SHA256
5326e3b3313e647112aafbab0f39f951b71509988bf0965cea5be2fb1ec34960

SHA512
3b678e456e2b4dff2c101f554ec014f9d3801020d8c3168b1d52d31f10779d222cdba190bd6a0dc0edc84987d8cf0499d69e7f819afd790fc9a7ebb91a67fbcd

Download Submit
C:\Windows\SysWOW64\Ofcqcp32.exe

Filesize
240KB

MD5
6ff34f5e802d3ae1bff96c8265309405

SHA1
4e43f1cb6fd15d6987d9ac10eeb34cb898a1c0f2

SHA256
878e1ebfc0e3da8ffef294aa5d6f9d6c97395bb2706aba84bfabc6e2b284ea74

SHA512
4162658daae92f8adb204a48f9e0330d32a0c28c9348daef743566f148dd77fd4e7f4719c9e29c087b9830065fc6a2fcb2caecd3049fe813f56dcc52912ee0d9

Download Submit
C:\Windows\SysWOW64\Oiffkkbk.exe

Filesize
240KB

MD5
ef440b06d645427b39b706d9fe28f8d5

SHA1
c1a0c9df87d95e9aeb246761fa4ca0d19369be62

SHA256
98a952818b79d22f54d898afddda7e6b9cc02b0b8de55d9dd1a834134b2ab6ec

SHA512
653b77f1415480b9263e280f852ac5d3c596c4d920bab3dbd5732a69ceb77ab6f113a38b52fdb4c3e03a7605907de247226b75a92b8387e35d2af3908ecb7f57

Download Submit
C:\Windows\SysWOW64\Ojomdoof.exe

Filesize
240KB

MD5
5c296f6055b8de97129ac31c308f486d

SHA1
988181fe5303a73d8a73b6f2881c6a8210b44f4d

SHA256
ed39c5ff222494acf1daf80287922f71ef7aa2989d6e9056c523172a819dc327

SHA512
792790199c19dae3977c13e32dcdf511dafc5d2e720547374a4b26b8df78452e1fd32f7d75741f8b17a83b82770cc1e831022a737d1eef8cb62e7a67ce003056

Download Submit
C:\Windows\SysWOW64\Olbfagca.exe

Filesize
240KB

MD5
3e08c9262a835000cb9f4334ad7271b8

SHA1
de693d4030b302ec91a48f8ae71f1cf54c1fe319

SHA256
a3fff49842637bf46241ff86db497f4a71bccbe0bd5c659fa5f939459dcd6f15

SHA512
6ca13b8d414fbf4bbe96e8e7aa589446e3c57ff21609f1b9f4e0278f2d41091ec9146048ccf6bc24bae220a378df6bb5b02cb1aface892cf9a9db21e69758c3a

Download Submit
C:\Windows\SysWOW64\Omklkkpl.exe

Filesize
240KB

MD5
6b137ed67544d11ab64846c24d2804fb

SHA1
0b0d7025a066158229dee966383b371b570a6c57

SHA256
699f6c5e006fc40b7f9e1088122f95f2c4d1fcda2d3fc5f8001ad2f1bb41c627

SHA512
ee9eddcae48af966b03e78c38070071b70c49a6cb7afedcb07fcdec13f0d2f7595e7544c8681e169c20a8ec1e0d2c9ff915e17bc3350c07bb2d932fbed0ec62b

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
240KB

MD5
ec3a270910a94273490c15d04ed7ce4a

SHA1
603860e5208aa664a7cb3a9751f0f460f910fb0f

SHA256
ab1651c36ae444ad952d12511b026aab94e2526423e3e8a37a8b9b561a3c1d5a

SHA512
5d971f1b16f4edaf744ecbfb8c9fed5f527c701b2a3c3507bb96634b045e0eb9db0f68937558a0817a33c7cbdb3e1c9c03c49ac416a478476687de10acd362c1

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
240KB

MD5
1382d107f9dd1839c98750dbc68432cf

SHA1
ad44fc3a8cd777058e94a0c8ef02be6febe419ec

SHA256
8d4b8db341d69182b68efd26ad511c149673bf6cf2a487a797b3bb4a517f41e9

SHA512
31620285b34603175a864e6f862bb165a88be1a04fac75fe2a6bfa0c1d730ac5fa9f63b03fab33bf08f5dd1a5df8166d3378b442d08d5605c87fe013b5921f24

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
240KB

MD5
a455b900988d48ccfcfaff976e8065e0

SHA1
fe81476c8fb2362367741275788aae965e250a25

SHA256
8d88f527aff3e3a23afd0545850e0fd4c993fa0ebfe0f69e16ad2dd235a2659d

SHA512
e2098b1652242df5d67b89b26f8bad2829df96d88c1fc90f850e9de0f369405f284cbbf6b48dbd467ed18c924e973fee217609cac7e051766d4651a2130b46dd

Download Submit
C:\Windows\SysWOW64\Phlclgfc.exe

Filesize
240KB

MD5
e27ec2d8da785a6cc96711e6629a57fb

SHA1
e5a024e13969a2bb95a949c5233d673668700608

SHA256
0978238d3d67a8ced9f663707f3a94cd59de3b3c928aa5b62284129ff566c193

SHA512
0728ca94d75fc418a8a626b978f1c166d52981084e4e281502bb04a2faa0040fe0f27c882e61759132f418ae3e5b282141d69e604ba1cd4ed79e07681d01cce9

Download Submit
C:\Windows\SysWOW64\Pkjphcff.exe

Filesize
240KB

MD5
01a4127c6d8667ffc7da33565316d0cd

SHA1
a1a29a3d12051ba7eb38079bee770b749fd11734

SHA256
9983afa21898d79134b60d81775b2d4cc183d5d63b0145f8319b42380b758b4a

SHA512
12235446284cc72372198299811827fbe6a79f9ed7dfe7e0cec77a3104156483335768a41ca5ffe6012a4a7ae9eab56a55178d7fdfb05aef075c5fca5620f9cf

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
240KB

MD5
181b75d16aeddb116a630445183ec8a8

SHA1
872fb28d42cb6752cad9ea06181aac4c662970ab

SHA256
67efb6a46015f3aaa0efc73c8c1679dfc17dcf885721a8f369b1079d11b6abc5

SHA512
9391386f04c1c47bc4b18de7a4a79245e21df2d43362d7915a19454a37fd637ae3f2c57e0efe380401316cc7e269d9ad04fafdf486fac8e908ea5ddf0838f599

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
240KB

MD5
6aa1a7a08cd640a8e2660606ba0b85f8

SHA1
9bde315f4b8894dd728bdac86071e92ea29717c5

SHA256
838e5fc0e342cb87add84eef5a975e7eb6aed8bf534ee3139a121e977a25486e

SHA512
d5ab4a04bb2ff27e1ef2e254506f5e42efbfacecc13fb282a36ad614f177f84d2727deb9f8735766c5659917957a9782a331831d68619f104c4e9151eaa1613f

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
240KB

MD5
9c5986ef6bf9ac729575b9f5b3a35e59

SHA1
46c0bf731663b5b9a751a935985ecf97af3e4730

SHA256
1eb1b5d326f2e8bda2709ceee62751e66f0aef268ea40144ae698dd85021a0a9

SHA512
1dd543a7e67ddfe8fc97c6e263d8ac72c4ecbedf4f596cf22ed40ab35aaeba381c8ad61b8b6dd961f2f06ec839a03ce2f04a56d38fb1c5d57c02fdbde92b8911

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
240KB

MD5
1673f55027326736d20edd7d78b1cfef

SHA1
d61941ad8ecb93c9e9572d7dd8fc3848225325a6

SHA256
250cc719699ce639dd145e8c39060dfd321c36b3c4c461b17bfa253c77a84fb4

SHA512
e7e63bab3304a2ff5bb89f539963e739051f84841834af1177fd74c168457a0dc9f80c1292183dd36f00507a3a141e757026cdc655c1d2d597a103da687c87ad

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
240KB

MD5
949895bf1c91a18d0a0e06121f0a7e06

SHA1
6ea166f86941e49e676c649d7c80068b31ab2987

SHA256
56655fca3f830b7d0a207293b1c32b9fc36623724ed92d6bdd812ace9826d22c

SHA512
6e34b4294333e4a57eb6105fad8721d699474787e9c0ea38c8da8f6769a7258e8a628dcbf57e2a245b55a649e17f64fabe3d7a0e4e910cc8520693a4c0fb84ad

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
240KB

MD5
b612663a3b68f4e46438ae4dc6ab9e27

SHA1
172378224ecb81cf3d10cf061f3004a9c9b38395

SHA256
aaece6034ec5ad81dcdda33b779b51bfb4389c8ad6b91b976dd5c30119c9b672

SHA512
4c5fb128b53dd77c1d53d1bbb7934e38363e747ed14cae09366b6c88779623e8009792034bf585a1e6e9a46648ddc1a1c64ec9db565063f6e777fcae8d6d4f97

Download Submit
\Windows\SysWOW64\Lhknaf32.exe

Filesize
240KB

MD5
63628f68a1a0ebbe9231a72ded25b1b5

SHA1
32cf54253c95f669488476a4c4800a41a1c28028

SHA256
e036cf338d1d9e7a70a51e9cd4627882d607e8b5e1d63aa838d139d506953d4a

SHA512
29f95bc0198bd1ac824e0e6d2d83f18170124924c4040a12f66a5c3dbc3f168bfe010ca2bb503bbe4a902afe87c150dea33191809cdd959681f852a6186553d3

Download Submit
\Windows\SysWOW64\Lqipkhbj.exe

Filesize
240KB

MD5
df0256d42f24bc1f090154372106a6fc

SHA1
54398612275ff59ea110b4c9c9d067e2017694ee

SHA256
68f714243b7c8d33158452e0a25ecee8f635abe1b0d069d0c3ea73c45b30c6a3

SHA512
fcf12046597f1736a08aab6221c0c65005b4029b9d4b55a62655851281474effb747182b6c87511e0917fae84ce301d13c35f4e6ae43e8f941569f1b0f199139

Download Submit
\Windows\SysWOW64\Mgjnhaco.exe

Filesize
240KB

MD5
b34da68a16be4f8958a7e038a981d2f8

SHA1
0627e2c34544ee7e274c866bf7af231b58aaa145

SHA256
2c16cea6a66daf6585f011d9806ec47b39a6a7d968c947b77a2ccbf0b17f17bf

SHA512
4098031e840c30ac9a651d45b0cb6ffa2717d5f3d33408904daf9db94bc01f957585ed31555c06acc8d234cfef0faf80276cfdc0b274b6a18852bd0c036ae59e

Download Submit
\Windows\SysWOW64\Mjfnomde.exe

Filesize
240KB

MD5
7cb6f018bb7a98fc86a1ff3d6cfe61e9

SHA1
f70c12efbf058de4fdc581565c674d86e9eff370

SHA256
8936991327d433c37b2d6046d7c4bdee00e96ca13bf6c7c4ca33660c2f9a477d

SHA512
e57c5dc1aecae3601540af8b7a9c7ec2855d1f2a499a1ee6a1abbbe1ce16d13da2747257387dd401ba5ba96d2a82ff8ea92605059de3ddc3f902aaa77c05d9c4

Download Submit
\Windows\SysWOW64\Mnmpdlac.exe

Filesize
240KB

MD5
a95736506f009267fd4af58352dc8964

SHA1
73039a1d5ca60d934d7de128b6b0deabb0561419

SHA256
c3d546acc981a466a8fe15a0c5f9522112b469b2149394549b0d5d809d0bc8f1

SHA512
b446fda1c7e9851d10451d063940615925173740190981078b2a180d7b3f322094c88a89893601ee17300d14219cb62f5b8e396c19db3c0fff75fb893eab59f5

Download Submit
\Windows\SysWOW64\Mnomjl32.exe

Filesize
240KB

MD5
e8e701750b7b0351b758299f1c72d346

SHA1
767f3588504e43f58abff77847b9aa7386964eee

SHA256
228c91942d2b7d3ee6999759cd9920a093b067321db80e2f04423bf4fc85323c

SHA512
272d3231e1ede425f8744f686fd992537a1723f384333890419c901c25cd2835523c690b22e8534461b7190f5a74fa7c42c6f29741a33ba3ed07006ab5790097

Download Submit
\Windows\SysWOW64\Mpebmc32.exe

Filesize
240KB

MD5
8f5cb296a9797792efbf15f1d881a22f

SHA1
5c7c9777f623f8280dd9fde51477e1b78c86c942

SHA256
fa66cbcaaafaf3992399fc398fea2c8964eca1336890f30597bfcbf051cbd002

SHA512
b1f387c707a862ccc261428277e5c56f264b273e3586fb3ddc627ebe615635393e198f0220c3ca3c24fc507890c7ea53633233ecdc45b83e9f405c040900f6ee

Download Submit
\Windows\SysWOW64\Nameek32.exe

Filesize
240KB

MD5
e2d9ba9edc8e0080c7a59a9b4c1eac74

SHA1
c1137b5abaf20a8a782a553ba9cefc9753e09377

SHA256
8da6d8826d405c9757a45e42d861414e2e317cd1f9718c8d223c8637b0f80bb1

SHA512
329b788af8bb5bb6b4eb2f9f4836ccfddc1ab08d39d9c1ecaedb2005bb69025af0a2920b870541e62b2ca8f432b448ae051d844f053f6fa358f032a7fcc3e29c

Download Submit
\Windows\SysWOW64\Nhlgmd32.exe

Filesize
240KB

MD5
262fac5669696c2a625750f83a2313b8

SHA1
845cc5df2df3e4fce52b314ff437a6665e21ef6d

SHA256
5995d689885fd3194c876769003600fbcf557ab94029aafee9b793db7dc699b0

SHA512
1cda7b2a087028e755f7e3337caa56142bf9bc878bb7d5d6b83ff4a6991bed570662f25de29dd5c5fcc75ae3ef4dce150a718f50e8109a97123ee51ac118ada4

Download Submit
\Windows\SysWOW64\Nipdkieg.exe

Filesize
240KB

MD5
f61e7649f0ac0044c6ec1ccedbc107fc

SHA1
8218daf1544406b3fb9c55eb6de2588267e148e9

SHA256
a3e9e5def715cbe57bd3798401b3b0d6753ededb87ab7c1f5dadd26ed9e67738

SHA512
f55f712fed796569b22456e0178b8eef4a70545a2100b9894a18c4d4db588ae9cff46b1e05c72c968a97b07fb97e8c691d8d050e024a05c0252cd71f76f0d63b

Download Submit
\Windows\SysWOW64\Nlefhcnc.exe

Filesize
240KB

MD5
1c1d57ed4ecca4c887ab9008173f4fcf

SHA1
38081854bb73bb29a7b799d22650562a6e84fea7

SHA256
9e58134a80fc6878b51462e48f641011f0a6a7bf697420e68eafab7058569933

SHA512
681f75b846a379be3db637e1d468419489fe2c574564bf5658b40841dfa846dd474541b214e66e2c0b14c7e31f886b20efce7461805532f8484bd0c6d98abb5a

Download Submit
\Windows\SysWOW64\Nnafnopi.exe

Filesize
240KB

MD5
52fce6990da4119bd7d3c25f07176cfa

SHA1
d356665d530b08c1c31fb0f46c884c397b1ff0c3

SHA256
a7fa82a178a07112b23a2cf8f4eb0c817b4526515ec4244c03771b5f14d6f827

SHA512
4d5627ff89293f07fa10d98808a0d02a3810ecbfb6c900720d94012daff5c714c21aa621fa0d3986de63c3f6b8b65f1e428e44584075e6dabcaffef09bfa089c

Download Submit
\Windows\SysWOW64\Nnmlcp32.exe

Filesize
240KB

MD5
67a2de9e7248c8b18c87edd983f7eeeb

SHA1
78c97d43eff31bedf3fa27254315f71f40174a52

SHA256
fb408c4eea7982d4117127792cd25804c2729a393184d556a2847a16f2b3c7bb

SHA512
bb81634264e13769286dcf7cd492f80ea459de436ae479bb9eac04a32c9cfa58340c35fcc52efc94abbce999d6c5c18ceee067404cc2058acf5933cc126d2692

Download Submit
\Windows\SysWOW64\Opglafab.exe

Filesize
240KB

MD5
a982c56f5e90cce1e1e614662feac2cd

SHA1
9e84426e80a4b38cf8381a381510f45c9a354b98

SHA256
9a13b0de75a84b707d1ffc374dc7185e41e9c9c9ddd5891453301d7131792fe4

SHA512
a753f8191fe9966e3e90d538b44c934bb002493297623c14e719f9422c4abcfdf48bcea3a8625e2232d8677669efe82750cbf8118f8321b682e12cbbd161baca

Download Submit
memory/568-294-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/568-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-293-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/752-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/752-371-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/752-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/752-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-231-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1060-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-209-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1156-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-316-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1228-315-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1324-906-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-899-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-122-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1708-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1788-254-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1808-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-270-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1828-183-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1828-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-904-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-451-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1980-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-135-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2036-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-280-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2108-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-898-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-338-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2160-334-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2160-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-893-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-406-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2280-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-408-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2288-465-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2288-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-326-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2336-327-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2336-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-305-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2368-304-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2368-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-903-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-395-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2472-394-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2472-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-892-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-889-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-77-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2672-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-909-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-102-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2716-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-443-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2728-442-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2740-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-51-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2788-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-54-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2792-414-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-68-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-349-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2832-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-348-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2884-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-360-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2892-359-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2892-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-900-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-874-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-384-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2932-383-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2932-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-39-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2932-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-431-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2956-426-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2956-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-416-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-147-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-905-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads