berbew | 2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
Size

93KB
MD5

43e21e585ce1150dfe33b484e4ff85a3
SHA1

8c8c632c6929fbfd864514aff93ac6d93f816b05
SHA256

2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422
SHA512

5ee09b8711e03786de84f69e99177a081696e7ce3ec493bc693a019fe2b9dd43266ce52909c4389492f53366002f0794960a764751034796b92aba83582f473d
SSDEEP

1536:LBoiWO4HZkZ5NF3wSJJJSPP8j1DaYfMZRWuLsV+1p:F254j3tJJJSPP8jgYfc0DV+1p

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhhdnlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiefffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomdoof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offmipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offmipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnipjni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhjopbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgnaehm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefhcnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplimbka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbflno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhhdnlh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiefffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjfnomde.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2352	Mdiefffn.exe
2252	Mjfnomde.exe
596	Mqpflg32.exe
2700	Mjhjdm32.exe
2704	Mmgfqh32.exe
2708	Mjkgjl32.exe
2608	Nbflno32.exe
2100	Nmkplgnq.exe
2852	Nbhhdnlh.exe
1944	Nplimbka.exe
1184	Nhgnaehm.exe
1500	Nbmaon32.exe
2020	Nlefhcnc.exe
2224	Nabopjmj.exe
1816	Nhlgmd32.exe
448	Oadkej32.exe
652	Ohncbdbd.exe
1992	Oaghki32.exe
1572	Ojomdoof.exe
2948	Omnipjni.exe
2388	Odgamdef.exe
3016	Offmipej.exe
1272	Ooabmbbe.exe
2960	Ofhjopbg.exe
2192	Oabkom32.exe
3060	Pofkha32.exe
2784	Padhdm32.exe
1620	Pkmlmbcd.exe
2572	Pmkhjncg.exe
2936	Pgcmbcih.exe
2576	Paiaplin.exe
1032	Pidfdofi.exe
2876	Paknelgk.exe
1508	Pdjjag32.exe
1952	Pnbojmmp.exe
2904	Qndkpmkm.exe
1644	Qpbglhjq.exe
2720	Qjklenpa.exe
2392	Alihaioe.exe
1872	Apgagg32.exe
1812	Acfmcc32.exe
1548	Aomnhd32.exe
3000	Aakjdo32.exe
1284	Akcomepg.exe
900	Anbkipok.exe
1288	Adlcfjgh.exe
2636	Ahgofi32.exe
2652	Agjobffl.exe
2688	Andgop32.exe
2668	Adnpkjde.exe
2600	Bgllgedi.exe
3056	Bkhhhd32.exe
1248	Bqeqqk32.exe
1296	Bdqlajbb.exe
1432	Bjmeiq32.exe
1256	Bniajoic.exe
3028	Bqgmfkhg.exe
2148	Bceibfgj.exe
2088	Bjpaop32.exe
3044	Bqijljfd.exe
1804	Bchfhfeh.exe
1152	Bgcbhd32.exe
820	Bmpkqklh.exe
1800	Boogmgkl.exe

Loads dropped DLL 64 IoCs

pid	Process
1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
2352	Mdiefffn.exe
2352	Mdiefffn.exe
2252	Mjfnomde.exe
2252	Mjfnomde.exe
596	Mqpflg32.exe
596	Mqpflg32.exe
2700	Mjhjdm32.exe
2700	Mjhjdm32.exe
2704	Mmgfqh32.exe
2704	Mmgfqh32.exe
2708	Mjkgjl32.exe
2708	Mjkgjl32.exe
2608	Nbflno32.exe
2608	Nbflno32.exe
2100	Nmkplgnq.exe
2100	Nmkplgnq.exe
2852	Nbhhdnlh.exe
2852	Nbhhdnlh.exe
1944	Nplimbka.exe
1944	Nplimbka.exe
1184	Nhgnaehm.exe
1184	Nhgnaehm.exe
1500	Nbmaon32.exe
1500	Nbmaon32.exe
2020	Nlefhcnc.exe
2020	Nlefhcnc.exe
2224	Nabopjmj.exe
2224	Nabopjmj.exe
1816	Nhlgmd32.exe
1816	Nhlgmd32.exe
448	Oadkej32.exe
448	Oadkej32.exe
652	Ohncbdbd.exe
652	Ohncbdbd.exe
1992	Oaghki32.exe
1992	Oaghki32.exe
1572	Ojomdoof.exe
1572	Ojomdoof.exe
2948	Omnipjni.exe
2948	Omnipjni.exe
2388	Odgamdef.exe
2388	Odgamdef.exe
3016	Offmipej.exe
3016	Offmipej.exe
1272	Ooabmbbe.exe
1272	Ooabmbbe.exe
2516	Oococb32.exe
2516	Oococb32.exe
2192	Oabkom32.exe
2192	Oabkom32.exe
3060	Pofkha32.exe
3060	Pofkha32.exe
2784	Padhdm32.exe
2784	Padhdm32.exe
1620	Pkmlmbcd.exe
1620	Pkmlmbcd.exe
2572	Pmkhjncg.exe
2572	Pmkhjncg.exe
2936	Pgcmbcih.exe
2936	Pgcmbcih.exe
2576	Paiaplin.exe
2576	Paiaplin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Nmlkfoig.dll	Ojomdoof.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Mmgfqh32.exe	Mjhjdm32.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Ojomdoof.exe	Oaghki32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Pmkhjncg.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ofhjopbg.exe	Ooabmbbe.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Nabopjmj.exe	Nlefhcnc.exe
File opened for modification	C:\Windows\SysWOW64\Offmipej.exe	Odgamdef.exe
File opened for modification	C:\Windows\SysWOW64\Oaghki32.exe	Ohncbdbd.exe
File created	C:\Windows\SysWOW64\Oadkej32.exe	Nhlgmd32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Omnipjni.exe	Ojomdoof.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Knqcbd32.dll	Mmgfqh32.exe
File created	C:\Windows\SysWOW64\Nbhhdnlh.exe	Nmkplgnq.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Aoapfe32.dll	Mjkgjl32.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Hcmkhf32.dll	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
File created	C:\Windows\SysWOW64\Binbknik.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Akcomepg.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Moohhbcf.dll	Nhgnaehm.exe
File created	C:\Windows\SysWOW64\Ofhjopbg.exe	Ooabmbbe.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Dahapj32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Nabopjmj.exe	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Ldcinhie.dll	Oaghki32.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Ooabmbbe.exe	Offmipej.exe
File created	C:\Windows\SysWOW64\Dombicdm.dll	Ooabmbbe.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	2864	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oococb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgnaehm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefhcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkplgnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjhjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjkgjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdiefffn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmaon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabopjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhjopbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqpflg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjfnomde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbhhdnlh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkplgnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll"	Nbmaon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlkfoig.dll"	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaghki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll"	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadcepg.dll"	Nmkplgnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobnlgbf.dll"	Ohncbdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll"	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll"	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2352	1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe	31
PID 1488 wrote to memory of 2352	1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe	31
PID 1488 wrote to memory of 2352	1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe	31
PID 1488 wrote to memory of 2352	1488	2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe	31
PID 2352 wrote to memory of 2252	2352	Mdiefffn.exe	32
PID 2352 wrote to memory of 2252	2352	Mdiefffn.exe	32
PID 2352 wrote to memory of 2252	2352	Mdiefffn.exe	32
PID 2352 wrote to memory of 2252	2352	Mdiefffn.exe	32
PID 2252 wrote to memory of 596	2252	Mjfnomde.exe	33
PID 2252 wrote to memory of 596	2252	Mjfnomde.exe	33
PID 2252 wrote to memory of 596	2252	Mjfnomde.exe	33
PID 2252 wrote to memory of 596	2252	Mjfnomde.exe	33
PID 596 wrote to memory of 2700	596	Mqpflg32.exe	34
PID 596 wrote to memory of 2700	596	Mqpflg32.exe	34
PID 596 wrote to memory of 2700	596	Mqpflg32.exe	34
PID 596 wrote to memory of 2700	596	Mqpflg32.exe	34
PID 2700 wrote to memory of 2704	2700	Mjhjdm32.exe	35
PID 2700 wrote to memory of 2704	2700	Mjhjdm32.exe	35
PID 2700 wrote to memory of 2704	2700	Mjhjdm32.exe	35
PID 2700 wrote to memory of 2704	2700	Mjhjdm32.exe	35
PID 2704 wrote to memory of 2708	2704	Mmgfqh32.exe	36
PID 2704 wrote to memory of 2708	2704	Mmgfqh32.exe	36
PID 2704 wrote to memory of 2708	2704	Mmgfqh32.exe	36
PID 2704 wrote to memory of 2708	2704	Mmgfqh32.exe	36
PID 2708 wrote to memory of 2608	2708	Mjkgjl32.exe	37
PID 2708 wrote to memory of 2608	2708	Mjkgjl32.exe	37
PID 2708 wrote to memory of 2608	2708	Mjkgjl32.exe	37
PID 2708 wrote to memory of 2608	2708	Mjkgjl32.exe	37
PID 2608 wrote to memory of 2100	2608	Nbflno32.exe	38
PID 2608 wrote to memory of 2100	2608	Nbflno32.exe	38
PID 2608 wrote to memory of 2100	2608	Nbflno32.exe	38
PID 2608 wrote to memory of 2100	2608	Nbflno32.exe	38
PID 2100 wrote to memory of 2852	2100	Nmkplgnq.exe	39
PID 2100 wrote to memory of 2852	2100	Nmkplgnq.exe	39
PID 2100 wrote to memory of 2852	2100	Nmkplgnq.exe	39
PID 2100 wrote to memory of 2852	2100	Nmkplgnq.exe	39
PID 2852 wrote to memory of 1944	2852	Nbhhdnlh.exe	40
PID 2852 wrote to memory of 1944	2852	Nbhhdnlh.exe	40
PID 2852 wrote to memory of 1944	2852	Nbhhdnlh.exe	40
PID 2852 wrote to memory of 1944	2852	Nbhhdnlh.exe	40
PID 1944 wrote to memory of 1184	1944	Nplimbka.exe	41
PID 1944 wrote to memory of 1184	1944	Nplimbka.exe	41
PID 1944 wrote to memory of 1184	1944	Nplimbka.exe	41
PID 1944 wrote to memory of 1184	1944	Nplimbka.exe	41
PID 1184 wrote to memory of 1500	1184	Nhgnaehm.exe	42
PID 1184 wrote to memory of 1500	1184	Nhgnaehm.exe	42
PID 1184 wrote to memory of 1500	1184	Nhgnaehm.exe	42
PID 1184 wrote to memory of 1500	1184	Nhgnaehm.exe	42
PID 1500 wrote to memory of 2020	1500	Nbmaon32.exe	43
PID 1500 wrote to memory of 2020	1500	Nbmaon32.exe	43
PID 1500 wrote to memory of 2020	1500	Nbmaon32.exe	43
PID 1500 wrote to memory of 2020	1500	Nbmaon32.exe	43
PID 2020 wrote to memory of 2224	2020	Nlefhcnc.exe	44
PID 2020 wrote to memory of 2224	2020	Nlefhcnc.exe	44
PID 2020 wrote to memory of 2224	2020	Nlefhcnc.exe	44
PID 2020 wrote to memory of 2224	2020	Nlefhcnc.exe	44
PID 2224 wrote to memory of 1816	2224	Nabopjmj.exe	45
PID 2224 wrote to memory of 1816	2224	Nabopjmj.exe	45
PID 2224 wrote to memory of 1816	2224	Nabopjmj.exe	45
PID 2224 wrote to memory of 1816	2224	Nabopjmj.exe	45
PID 1816 wrote to memory of 448	1816	Nhlgmd32.exe	46
PID 1816 wrote to memory of 448	1816	Nhlgmd32.exe	46
PID 1816 wrote to memory of 448	1816	Nhlgmd32.exe	46
PID 1816 wrote to memory of 448	1816	Nhlgmd32.exe	46

C:\Users\Admin\AppData\Local\Temp\2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe
"C:\Users\Admin\AppData\Local\Temp\2a7552df063b879667d1fab3fc20f1c45613d74b7f884d611a3454d84c237422.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Mdiefffn.exe
  C:\Windows\system32\Mdiefffn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\Mjfnomde.exe
    C:\Windows\system32\Mjfnomde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\Mqpflg32.exe
      C:\Windows\system32\Mqpflg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\SysWOW64\Mjhjdm32.exe
        
        C:\Windows\system32\Mjhjdm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Mmgfqh32.exe
        
        C:\Windows\system32\Mmgfqh32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Mjkgjl32.exe
        
        C:\Windows\system32\Mjkgjl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Nbflno32.exe
        
        C:\Windows\system32\Nbflno32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Nmkplgnq.exe
        
        C:\Windows\system32\Nmkplgnq.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nbhhdnlh.exe
        
        C:\Windows\system32\Nbhhdnlh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nplimbka.exe
        
        C:\Windows\system32\Nplimbka.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Nhgnaehm.exe
        
        C:\Windows\system32\Nhgnaehm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Nbmaon32.exe
        
        C:\Windows\system32\Nbmaon32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Nlefhcnc.exe
        
        C:\Windows\system32\Nlefhcnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Nabopjmj.exe
        
        C:\Windows\system32\Nabopjmj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nhlgmd32.exe
        
        C:\Windows\system32\Nhlgmd32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ohncbdbd.exe
        
        C:\Windows\system32\Ohncbdbd.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Oaghki32.exe
        
        C:\Windows\system32\Oaghki32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Omnipjni.exe
        
        C:\Windows\system32\Omnipjni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2948
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Ooabmbbe.exe
        
        C:\Windows\system32\Ooabmbbe.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Ofhjopbg.exe
        
        C:\Windows\system32\Ofhjopbg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Oococb32.exe
        
        C:\Windows\system32\Oococb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Oabkom32.exe
        
        C:\Windows\system32\Oabkom32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Padhdm32.exe
        
        C:\Windows\system32\Padhdm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        65⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        88⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 144
        89⤵
        Program crash
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
93KB

MD5
746482680cb014a2f0ca26d54268f273

SHA1
c1a5fa23e5e625446996a18fdb376d5254608c59

SHA256
49b2d63bb4bc6410be0c014c8193defbc4f9579efb87bcf30c77c256e8f6e268

SHA512
a2ea9415bfaca8e48ed98a3c1a569eed1b22d758960c5b368bb04f8c799fc47f19840d1d8cac5e6f1733e40effa93cd84e2855a1bfe0af1fdb6439450278244b

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
93KB

MD5
120afc366b6f448b8028438c19e6f6d8

SHA1
28c1ef6c51cfbe2fad322e24076e6037180b4bb8

SHA256
5833e9230216019735d207b0d338257ee89203d36bde14afb8af0792c6d603b2

SHA512
b90200844d5789617364fa4436839c50faae1b7eb5edbbb7d3854929c659cd40d1ba93d2c0862e7d325c8c62f2cb5174fd9af9c1761d94611eff777368fdb154

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
93KB

MD5
f6aa4634d55b35c1a2798b38c388a1e2

SHA1
b21f349ce92ca3962c08d9156d47fd8ca4bdce50

SHA256
20166e8bbe615610cbe8fe6f51e916443b4352e673fa1f69d7b7223969f4fcb5

SHA512
f1125e59d520816ad745e4a21aa6840a515032ff551208a1708a726277e9021f862da2383920ee332352481b46bdb059304df411d05ab2a61e8c795c56fa2949

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
93KB

MD5
464ba58a1c718d499f1d1f15bf148cab

SHA1
dd2ef3d9cde9f982b4012da3931fe094b87eb1a6

SHA256
367e6a6eca5b4c388830809cf1a5e780e9079837c0dfeaa48266bd2621e98000

SHA512
8ee35ace311f248e264079e33dd60dd2dd4166877712c56bf1837ce536161ee22731c87f2ec6907e817e7f0b3a38a2cca28ffb5f920ebbf7230cf6eb1d0b4256

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
93KB

MD5
e1389d03b5bb9a957bd39e610ab315d5

SHA1
846ab37449593c510e21aac0d80c534f29844d22

SHA256
eae3f16108c4f359a8b49f5cf2c1116eb3e6ee74c6b87eb30e2f050147d74e4e

SHA512
050d7f7cd49e8da7b920518ab83422b6da2b9b3aee53bac98a2db455c9b8f0bc1b83c886bef8d6643d747dbeee0ef189a4474faa4190816b8919fd226cddb114

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
93KB

MD5
9e9170f4c8bdedcb14e63610b0d633ff

SHA1
2d30d3eaa7e6da5f0e81c70e259f5c3500a308f3

SHA256
8cf8d9592804a2fb5f289e273e5e0a6552d853dedd32ea38e1151197caf246b2

SHA512
491606e88dda1f097d06af2b34532e760d14c930555b32a3a9365c7f6b518049bab01256013e6b50b8449afb3c6c775fda4d79f44a9d83567b7d348272825c0b

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
93KB

MD5
d1a209fc492a0661277a003d9a27fbd2

SHA1
0c981483be7321e74294215953a1cde00e4ba9d0

SHA256
a29780cd3237cb1ec3eeaa10dc086263a38142916c3cb20a03762efaaea921fa

SHA512
8fe2adb448e0f7481ac2e97fa37368e5704aa13df24f051c93f684d93a23e1e27462dffc3bdb2bde777416bdd2cc36ac3f061ffb8871316432230e0d48697b90

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
93KB

MD5
1886a46d910f0f27827c1c0cc24d2938

SHA1
6f9be86a0d3fdf98870ed63b904e6bc0ba0946af

SHA256
ec043c1b404be084ff850ad27de31cf342ce1e794623bcb60ec5fb5f07ea4b2e

SHA512
6b20e21856b3d514c12b1f90fb5e3899e1d936c96759605f80621b5592659aee185a52c26963e4636d214e141dd8202846bc0c9475781eb34d605ef67583278e

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
93KB

MD5
3bb11d1f36e322efef85624e02770f5f

SHA1
8f861ea534ce9febe3380f1d9039c86741962ab1

SHA256
fa4d0898f647a609767b59c0bc6ba5560323d0b461dee9ca18c41353ea1e08eb

SHA512
3b22ddc2b357fec2376324bc72181dbb5b6bdab81722e94a1c138599a3066aa4df7165910a0dd79d32f45bcf8af0f8f3bf44fbec774c66da708511dcbe6745af

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
93KB

MD5
28fbcfb10dc57975037b6b72cf752aec

SHA1
af66f2023160b44460237901aa347c844ff04009

SHA256
1c31cd83dd0ce8c20d85fbf3b1f65715321c64fc5eaf62a9dcd5503f244c3451

SHA512
99c866c4e93c8242912ccaa7235b3d548ca72f834cbf184dd7a219c5444fbba7b15901c0d1995a224dabad129d01438f59b00ef8fd1287498a2c0ee9693d2737

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
93KB

MD5
6304628a5efcd95760b4df9d494fb39e

SHA1
0a967fb869ec22484ba97d71cc95af36f2897d19

SHA256
f8efd34f5b7daf6b1398fefd246744f5e223073b31e25831df316d7dcb108c4c

SHA512
d0ad552ee585329ef325a44f002868cb697e6068a341a11215597ac96b84d61c0434f9676632729bf873f0216b2dc40e26bdcea7425844f30d6144fd83bf1c73

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
93KB

MD5
bd94e0a8f3c6f263796fdadea145bee1

SHA1
0ee28ef9a487fc1acdc8c28ae72e9ece32cb0592

SHA256
4aa1d11b1f7dd6f7875bf345abd9a52e5884678cb968fac6afe0664d44b73f0a

SHA512
eb5ac0491d94c68f57171001f46cc8b759390680eac8c4536dc346d0d6c53773061481e20bb14886a3a6103bae481b0ae8f03d0f9446b7dfa5b6a011a965363e

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
93KB

MD5
7479b515bd6c1758d58e0fd7418c8f43

SHA1
3bc615cd3b55771298fbd5705d8f631a50835910

SHA256
8b576eb64de6483e4755cad5b5d8a1bb9e929fb72119317888654807055c31dc

SHA512
e855f97f2147274715cf78263891fe78b7fc1b6115b51f107ecc27bef3a67ec61071e42f77c2700592391272f2318136e7b5bbe16ce067ebeab3c26b7bd3fe07

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
93KB

MD5
132cabe760c60a3f5878ff84744d6b1e

SHA1
8b2a1ec929486be7e9ef7d1d4aef88fa6fea19af

SHA256
d6870b48b0047443ec86b7a8f09799d53bc06721d483ffcbeb6fd4a4ad4918b6

SHA512
922551d59a633665974a808d669d5f8b7339a3ed5aff141eb4b4614c351666708d2b35e51d9e7a64a9be334a15b0a770339292d2cccc86f42dbb6be7ba055e10

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
93KB

MD5
628e6cd5913fdff510ce2901f5785a34

SHA1
ded42afa517e3115060587ba7c8d01dbd7046610

SHA256
e219b38f576ad1222afd7eba131be7e0f70af244426926f502645da0351d6307

SHA512
765485118ce0c6f43fb534946c89a3769da2734b68184320e35bb6049c03bf70448030bc93eb4e658be0b94dbffa7be22b4bd25a47225dd37ff1d51d06318768

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
93KB

MD5
385da02b8581744016ac5fac998f6498

SHA1
8b4f9010552f9c99975b8823cc811b62aec06c44

SHA256
812ba032d9072f648b3009f6c09c2986983e32be3fb22c23029ab91d8cd37446

SHA512
d38405edc91c8ee9992f509077ba56c36286226bc4aa54ac628a9e40071813c6d6637ace4a7556952d8104a3b15de84bf8f7c84818f5f15e498a6d8cd5afd400

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
93KB

MD5
f0e4203c04e9c285f5c74e438a93201a

SHA1
79222783d4df2fedd80889fa1e2b9b924c1928a7

SHA256
e2a6c00aace70abd16927d87a2d69d94e319d4360b9ebce5126d98b92b984b07

SHA512
6c60b87e2e16e056df4f086817b3138edd6389f1036a73e912e8c0d73456f054dcc635b5447eff39fe6e1d0b7ed3fb744acb8493fe894685d17061bb02cf4ef3

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
93KB

MD5
7db2fb0e3d8c5644fc082db6ec590a62

SHA1
6b70904b5a6440f08c9d48e8006b898fcb75adbc

SHA256
f22b64f0ee2b6fbbcbccb408590c126c4c44c5c931230f5863c7c9f96fb2e718

SHA512
767fceec0f02d42fb2510a887619c855ac7e8d702f0b33e8a1c9a02187561e112791e5eec6387c8da15090823fa9763d60269791e985b3bc01769fc1dfaf1e49

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
93KB

MD5
ba6446b8bb4c9110f4637ae6e7c141a0

SHA1
730af92f0047487b10c60c1c6d52aa10bc95fdab

SHA256
60147282ffd644e4f1eebc0f57e8c99571d7d1e4fe5346ecb617ca2e505b9b7c

SHA512
e3c09e98d8c1869d3aca8c755f0fa63974b81a6ffdb553a23c650503e62d08b1d431b5e934c61c99c562233c081e8c819770732eff11678676d9b8878ad1f5b9

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
93KB

MD5
6e633b7d0a2239f1aa68335399ccacd7

SHA1
dd660a6f02d7ec439073f06835afedd32d2e842b

SHA256
bfa1caccdfd34f3f66556f01e2163c40451a3d60f6c444b88c38879936fa26b3

SHA512
91656d3064a7e23bd7f7f7fa0d9afb77db273b736e040859218da3420b6fa3cc7d4fb5cd4560d735db62b4c1c0dc78981de9ed72751c634207595976e2f504e7

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
93KB

MD5
390ae7786aa2a5f577bc8ccc9b15d65e

SHA1
a46328ff58087fb102e8b5031f326d67e0c436cd

SHA256
8bb37cce9cbc02d85e2c3715cc3bddf7c242d646f74f68c85f700d26a6cfffd2

SHA512
c05caf739c3d31db81c508adc6479797a3e75b762d0030bec6757f3e6e2fc367726a824e3d99bdd213dff3a103ccf2623f00102fa35db8ac3ee927bfac0fda59

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
93KB

MD5
21ab11b66bf6a22bc80f454067d7d74e

SHA1
06af9e7c96cbf3a5a1361b244f0ae9af87c38efe

SHA256
9fc8b5b20b2d33502c68e94ee277b6d7bd380bb75703efaf6230cb7e1ce73f2e

SHA512
c603b01654a86c99608e45c42b203296427545995d6bbe995a9795c2ac859ea2a085e49e440bdc8a11801274b827b98a3a4faf630453c499e93d627ef8ed8902

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
93KB

MD5
464d8158d6e566144e6ccef69055ce0c

SHA1
364607821fad6d1e2ceb04d00c7590ab81d0df7d

SHA256
842db30914933c07d8d029eb5fab4046230c2181a3b69164a47df5c733d69911

SHA512
0ba3689dac07a609e3d74e88f898fdbeb036b4be81880823712c00ae298ebd90ff95ab9859145fe0970cd9dafdc2b32395c0aed05a9a0243a9f7d26dd8d854ff

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
93KB

MD5
647e6de5ceeb56ecea3c2ebce6762088

SHA1
0a20b868eb01f05adb39827729d711fbdee1cb27

SHA256
b70813e8ebf7602dc582961cb65f71388556ba9b2ec230b6f302d07fd73c65f0

SHA512
8fed676ceab915b9eb2c71dcb967d82c87a6780a0bdfe232b18e4bd9fe11c0508c2a2a9e89030568f9377120eae8004bff4deb8b5b1e24c9c2aa722f9403b67c

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
93KB

MD5
773a687f90102272341ad3c884369788

SHA1
daabc28eb16228a6b5ef06278782f15847b3dc6e

SHA256
798664579057949f7d1323c0b4d3339db9082ed0a95426958da258de8897f78e

SHA512
e75256278ea0ab2cc86fc5070d18c68255b263efa7030c1eb9c7160dbea490ef0bf6fdcdb57e901c3cfa7cd9cf903cc9f239e94dd4c1ba28f62346729f034236

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
93KB

MD5
c499043e87e6a0808c1a5e0ccdbee447

SHA1
e1b976a5ec8316aae42f24ca79487442fc51ba9b

SHA256
c357292517a17cf91ce4f2332a4ae21df2df3c5fd1aebda573b438819acf5dd8

SHA512
346a8ea4d36b5e4212e78e9672c05c75a5860625f3d7c9ed58a549e99ffff1f04ac0338911be36eaa4a494c222e3c9e2ab6a354543993f08c962dcabf8ccb620

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
93KB

MD5
297675ef22a8256c197c621de1617777

SHA1
13a80e867818fddc1770b544001ab85a593d7e93

SHA256
fb00539d18356712347975314c94099754fd505ab9731d2bcb47ac205f2a9879

SHA512
9a4c42b8dbfb92ca82183fdb95cd89e35a94d01ceefa690b50d2ab2d09ac76664431126a5408788c2aed82f1bdb828b0ff770440b04150e1e2e21ac1b416ca5c

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
d16e8449f53e0508ae016082afe80977

SHA1
9554bceaaa0d11737f9988faf9c247fe0ca7b34b

SHA256
0ce122d8e2062c60e83b1aa2a610adc177110237538adf8d03e5e67c25fe5136

SHA512
b69ebbd445f6732a7c263bfc3b8ad893bf43eeaaf3865e9225752ba57587da6c63c0878d18337361bb70dacf5408bff2c45d0873c0d9c11f12e7b9391aec6b9c

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
93KB

MD5
397b820cda2d4cbb8e82d191ae5d24cb

SHA1
f17ffe82663cfa9d2ee094f57e0eed7651e5cb3c

SHA256
06df05bd58cc6dbae9a42a359431c37122c762416bffa323e1c7464ce8963831

SHA512
61699499bfb1db54d988e6324b36ebe63c911c8097d97977f6583f9347acc5e38e7268f3a7dd0118b5e61844410fb0cf046f41427dfc74c7e2b410df9e24a613

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
dc81b2c01966a2ba7f503c7d6bbe3ecf

SHA1
a6d7878dac5495ffec634c302b19dd89a1358999

SHA256
364ac0380b79ec8acc0c604895c678ed0af5ce12bb0b8c51e60e88f3162fa2d8

SHA512
f538d8e772acb3e235f1dfe9664a422758d995b4f20149348ce5bebbfd7dcb3c89a2636d28ff78348194cd9f0728189a55a47af1186e785916a22166c85a86fb

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
a09fabf9df2d83bba22fe25f0f28e97c

SHA1
fb8db92537e521a14ab855d9972ea465ed432775

SHA256
b67f1464832d2b875acd9b5f9cd2560d39815e6647a649c0e09698a3261492b5

SHA512
f04b386e8d3618b6308456c1d1d08352478e4d5dba77291341a29794d35304d43a40d055c9163faefd197cef0c605226d6be3676ef865561e5eb02d1dae2a5e6

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
93KB

MD5
d2e4b43223e98bf82a19f849f27a657c

SHA1
c99bb4fe27df2a9ab921290648cdf36f04e31ab4

SHA256
febec7183bcfdc549ded4158615bad58bfdfde50bd831cb2cd3efc25679268c8

SHA512
a04323ccfe94c903f7634d0493491243fe9884a28018dc4035e72d53dcb96e9dc4d8ea6599150388d85e7e927426add273f930f12604d5b4d9004a3504913dea

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
93KB

MD5
10e72e94111806a9b16d122e15817f4c

SHA1
3eb7eab50d3480e3f15f2217a573c9bf1f3d25af

SHA256
b2cdfc1993280a23b9169c093d8a6958ee151843c296e151de31dfdec8424049

SHA512
d43fe2e19f4d7b74b57e9ed2f61a71960dafff42ae73f930d4be342fac190390515c29f83ade864d4cc527594ebe1b9fd28f07baea70ebb4e651baee3aaaf680

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
93KB

MD5
0827afa5946c737dd8ac0db2a15dde2a

SHA1
735c0b1702a73991f00fbae264e5cf73b42013a3

SHA256
199c7ceaf356b4edc90dcc9a60c61f66840bb25013730eb6ffecea51141a206b

SHA512
b770659cf6e2b21c643cd0418925858c8432cb4ae9af5c7bbcb71c4d3b99108735710b2205c82748a93ca0a9b1a833bd4ee72e7a47f949c56ce7a5fcb6130d77

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
93KB

MD5
6e5b0086d74511ca36709e9b7e131319

SHA1
21919bebf8c0fd19352d9bb48237c21ee0b79ca6

SHA256
2d1ba397bd87ced672fee90b5aca8d4bbadd0b9a8b8aa9129dd30685469ed99c

SHA512
0f998e829f502c99c473cd812c3a8d166e864c8752e4885f9fad631f620f05925ae8f64407cf991aeb6957cccc27e6c67f3f2b5db22164635d440c24fdbe1270

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
70c2a7194f0948648d83992863d5c832

SHA1
d3c27bdc7ddb69e7c1fbb46d6c0a05508765a022

SHA256
36746dfaf99b3510a8d193d10b5dee7a06609703fd2fa381ade41837012aff8a

SHA512
f61a53730216d577c9d292918288fee3efbb0307b749ea13c1cc6dfb0f532c4d1092abd71ff7ec4a4e9786e060059472969cefe5fd70f7690da7e2b640ff1a8c

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
93KB

MD5
71b9f630a877810214ad72b6e8f95780

SHA1
5258c61b6cfd63e6eeedf7868d950b7f9a416112

SHA256
71cf22fac4cf23bbd9e87d474acad0702bcdaebd81ad21e3d07d9d580e3cacd3

SHA512
36b15f87f556a831e6fee0463e885d35b1398fcccc4dffb86592c9f3cdcbb056f07b8c20c52e65621213e5673af925711e21f2967d502f5385d3754950c9a81a

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
93KB

MD5
8b35ea8e5dedd54d24eedad751cb3981

SHA1
381325ff973d2d0d9dcce8e75b4ce3f84fa151ce

SHA256
759a5bb2402a7d834fe97b6e0d36693763e0073d1a548a54f018733fb28f58af

SHA512
eef06ac00c0bfc497bb967dc65872147c1dd9bec936be13ee2c1a519759f8db630d5376af5d3338755c1c845de072a656be8f422778a30ec3f072d6ad8cd3632

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
93KB

MD5
0f2f227cfe4f9c23e9aa130f2bc48461

SHA1
e28dd8ed56a8958d6422d3f621e4085657cb0e05

SHA256
b315165396aa9b1fa57912bd5017f1ee5eb38de47eefa864e6a6a03ff91ab5da

SHA512
6149e6442eb3cbfd489598dfabc66e31ea4f6a6af9a785ea0e73bf7f4cdc52c51cfd5d599a41c58c55c2b511d3b3ad5e4136e47e86a716ab825b26dae7074e3d

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
93KB

MD5
91c433ef4a17cbc4915e3f6775b3fc72

SHA1
f94fbb6679630c41edf5a52588bb4c5e4a862a26

SHA256
e530979f9941576589c2dc7ca9c8e7bab2d795c1e6e488dad93664ddfa733170

SHA512
7a1db657a6f03df7f21a911d03b9f15c1d1d0b175a1cfd9c6a0b013f4d45cdd821ea72d6be82a82234be24b2b07c0e908fa9d8ed8f7f42110f36dfca4bd9b4dc

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
93KB

MD5
614484d7073585e26fca70548d814028

SHA1
149e8cfd72cb016b1f719899e3d813b9f152cbbf

SHA256
b25702580e8fd6193a1765def41fb4a9f4fe24d9678b8e81e295513290c7717e

SHA512
140b2c2412358907f1237f685aab349bdd841ba3836932b7f47e4003773b45da05bf1470c151be6a07e9881edcf3857de375150c7b2c1df9c319c6992538b007

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
93KB

MD5
da6ed47efa19ad186cd21bb497272e65

SHA1
a5a98c36b60009dcb7219318d2ad480e3459b9a4

SHA256
6b0c67feba30e726a583b81e710427b9bbf032455258909ca1116ace51c8991f

SHA512
e0dfae2446dbc6ba7282ae8c500229e74ee1e6688d2776041989f06f9e38debbd6d32f84f37e1865d50deeca43e88e34baaa408e92ffbe45b031ab808cedca12

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
018249b8a352d30a16a4d906167e6e83

SHA1
bcc15ca65dd62aabe2c756512a4688a93ff81123

SHA256
508b083396f5b28b40b6b40a35a31540c515014278335f086de190ca7103bc82

SHA512
2a84ddcc422a0296a4e0400cdf3a2d5399c8f63c4d4dfa2789aa02a219305ed3ba0999dea57b122949485813e3c47d0337f631e3a3b200a40998659628cbdbff

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
faafa82f90a3dd16239dd12129df393a

SHA1
cf018c6012e66a5e020bc9e9ba3eb64af9a4a7c8

SHA256
c4537bcfb17e9d3c937e5fba64069fc6b2e4ae95bca12994f81fe91f1deacf11

SHA512
c63f7a10d29f85591abd3dca7c08005b7b8df94702201298aaf8b0fe59b3e5da1ba89ef230f6f4cf7a6c2bf92ba2bbf50634c8a60ca154a24f300befc88402ef

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
93KB

MD5
a10f7e6885414b809054300b0451398a

SHA1
0e5764d30087641cdc29e479cc7cf38273b9a9e2

SHA256
cf9a733b6a4c25e1d85cdf5eda56811a5cad694addb31948d82b4b1a8ebe78a7

SHA512
976cd6d8c901c6e3cf04fa34131ecedaebcaf6c2c2762e51b6637fd3234ec1194142165f09a1751ddd66697ba83f544b02fc39b7f8f5aeae99831e213932de4b

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
93KB

MD5
90883410df83c4074977618e48891f34

SHA1
925bd675f7985d20feb6f9ed4e287a63774ad40b

SHA256
c219afe67019b9fc2c9210732a6101fafa45a51a1463eeeebc495a975bf23fae

SHA512
2a4d47d6649a952d6aef9e344c3e397d035c369081ede87e9a0b6b904c5edc6bec40dbdb80f214c0aa8969f46ec60b40691697309eb0d8f33c89dd1ccb74cb72

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
93KB

MD5
ae16fe22524867a98b56e4658645ec0e

SHA1
95470a6c38c67278e0559a39ddc8c9c53f6545a4

SHA256
e457faaa74593caebbfb1fee87a63f31cadce8088b7614151a88ca82e3718a02

SHA512
4253f736153fe268f577a6f27b5d69c1976df8f4f907cd66dbc920c314b92826e70e486186e55f127b8709b8386bcfc79934501c9110bd691ec38cfdd11f1699

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
6aa3e692bed092ad8288cea7e4db80bc

SHA1
a9ecb9678202eb084aae29a30f361af07bbd0707

SHA256
c15cb2b561415bd5171fb72a2a21f3d74ab2e7ddedd63f13977a422b303f211d

SHA512
e859bfdd4ae595b1a0e01d7f1ed1eb6a052095260dfce5f3fb857350b6da9b671398f783dc04247c2ebe47259c829012b4d708ef39a3e5976e0b518f896a5e44

Download Submit
C:\Windows\SysWOW64\Mjfnomde.exe

Filesize
93KB

MD5
a27a6962057add1129f582a7622cca4d

SHA1
5535d2f99cfeb29bc819c1835ac88ce274d682ea

SHA256
330903b95c578b7672f46b2f3ae92c5ddcfc9a5b11d42f9f716e6f2364997feb

SHA512
fc006f07fb3b6d1a298f0bca8bfd3b66fbc6c1bea8db6de08a202c7cd4e6d7496ec0faa7bd5dcab3d979ce7475e52382f9be3f9fd8d41f59fb340411edfb48ed

Download Submit
C:\Windows\SysWOW64\Mqpflg32.exe

Filesize
93KB

MD5
547fac43f6d674620572db6a9f6a57ac

SHA1
ca5ce79bf08b57593cfadbaebb6c31096602eb32

SHA256
82167110ffef0d1d1717964e7f1fcfb2bf7f898b0920ed3cea404ab4b7123d32

SHA512
d6784e208ad204486c32ae0e53f053f57d0f867499d1b56af0ea65288573ffa2b37d95fc13eb5559b911bca618b79a2d624ec5c940fad915ed122cdb3896ae2f

Download Submit
C:\Windows\SysWOW64\Nbmaon32.exe

Filesize
93KB

MD5
3582b9f8b01ac9ecddd4369c6a9104e2

SHA1
e414278f655a2bbcc17f04c7a42e603f3a938ab6

SHA256
fa9180b479f13ace329537adc1a16fffff50e3276a962192795a00cff4ea3585

SHA512
0258564d137ec9e1f0e9f822b84c00373b3992ca821fc6350ed422c41c86d80b336d87135a7ceab186291a15d61e7923ea855174302ec79aa721b5a104347141

Download Submit
C:\Windows\SysWOW64\Oabkom32.exe

Filesize
93KB

MD5
2d5eb0cf31f262d829d9a9d92bc34cab

SHA1
f4dd465e56ca4ac7746b4052ce5402fc76f14652

SHA256
b06545b88a51343a51c14efc0943c1b81ee5ea8e09745831f8a7c29d0679d7a2

SHA512
d2c8fc9377c2f5896e9976159fdf0b75e70c8ffd0d1518afa9a376e231a39a0991c18fa235a7a9f29feeae1225b34fd7dcb30e0022052c673b821a79ec4c7735

Download Submit
C:\Windows\SysWOW64\Oaghki32.exe

Filesize
93KB

MD5
2e03dbdbc835a5823789b42e5709be5a

SHA1
f7b3a6b02f81bd0147899059a4df8e010114cf83

SHA256
207a44a2ae9cd23d2a52d47539e61dfc59ab03837e2f001e7d3a991f4efec327

SHA512
2e2424599e15d16d7f3cb22ed93684b1713a154dd050124fec3fbf59f18b6cc82434ed39718d98915843034d5289d7c5c06728647fc53b1f5ccc1d454adc5413

Download Submit
C:\Windows\SysWOW64\Odgamdef.exe

Filesize
93KB

MD5
8760995776e5cb7a2aca73bb9b9ae240

SHA1
f3be20bae94de8de5b9a921ad2771bc42a5c5e77

SHA256
59ff45b4db69177a18850946d54795112c90cf0b11fcf633a3210ad42b99acfb

SHA512
fbbc3f58c0eb316fbb485d1fa9b2587c39ca211af643b6172a32224e2416013cce999dd7ce9881724e04855dd3d47817961e605d5fd55dc0ba2359590d0dccf6

Download Submit
C:\Windows\SysWOW64\Offmipej.exe

Filesize
93KB

MD5
ecc2b0d0f2b727221ad67e6ad6535788

SHA1
7799134be3713bd1c8f587ec188f58ae7414d64a

SHA256
aedf462163a88c4fd1006c1be8c3fd8ee6485a53c0d97d6672f71092e4350b94

SHA512
639a61c99b1571603288bcd1cf4d55ee3d8a3a7fb716f43f2b6cedf442a6d7b77090740a4e7af910fd9327913aae758f3300bafc627d143dce3379d3f6064b67

Download Submit
C:\Windows\SysWOW64\Ofhjopbg.exe

Filesize
93KB

MD5
006a831d4222e600a6199ca7fe15338b

SHA1
62d554afa07ff0c10dfe0cd61c771c26bfd12c9d

SHA256
840472afbb835384f5ba40410bca56e6a84e34109c2ed7e76bdac1dc07de8526

SHA512
044a7b0bdd61e8fce1600079da99390cd3c1096fcd99eabbbe3bf10b1d62c8728eec06c8b26cff20739bf02ce6b61f2323cb4d5da81c77733818e93f177e12f3

Download Submit
C:\Windows\SysWOW64\Ohncbdbd.exe

Filesize
93KB

MD5
3ec5f534298f9922698911fcc8540699

SHA1
65a2ebae4faa9b0f7bcf25395f88e47746e12611

SHA256
0c09486b297cd48e18ecc396ce5fe68a230d9d63bce2f8f9da9566fd98766f92

SHA512
c0b419284db20c62641d3d7c0f6adee1314dfce4577b4067d9a382440eaa9bf3c2847756f85421dbe049cff7e724e4b5de25f8a86d28157b65d3c4fe36ec31b9

Download Submit
C:\Windows\SysWOW64\Ojomdoof.exe

Filesize
93KB

MD5
f81110f23cf6aa965deb50ad1fa40daf

SHA1
191a732fa42921aa97c5408395d287af29222046

SHA256
eb4173f1e003d03ff437eb3bccb2409a8ee3d9c1b4541723269777e00deb9769

SHA512
d5ad361fa025533b58c41cd58a860991c80dfbccb353cf90326ca89558face284f08c12ffbda15ca178fca12fd1e7389b4feab72d938ffd874ed7925eb2f6521

Download Submit
C:\Windows\SysWOW64\Omnipjni.exe

Filesize
93KB

MD5
c50cfdce03bb62bf486e786f34cb84ba

SHA1
1c77f7382be9127588d7968518b76f9c63544a2e

SHA256
1fef84dde2437b597471902c13277312c885d598591557bfff5655c2304033be

SHA512
cd3cf5b5907d5adfe38df8ae053d437185e3d3eae13297706497d0930b1e4b4c76387984a1d2e7f2809713b4756f6aa0ecf2a0664154560756993253a635a30c

Download Submit
C:\Windows\SysWOW64\Ooabmbbe.exe

Filesize
93KB

MD5
b9395cdb8b5cfb68a1237fabe7aed47e

SHA1
6826aba3f871a5d2bfb51b6d227d20c3de5a3c37

SHA256
d197d95d65948149f090eaa94c2e16a09ec574ce7a22f01c70453b0cce538ffa

SHA512
c50378e619eb364c9dee9f5987ffe4a1e6a7da6a82647b14fafb423ef3a988264e4e0f64e98a79c22b31016302af6fc68a1264aafaae9fc607daf32fff3970ab

Download Submit
C:\Windows\SysWOW64\Padhdm32.exe

Filesize
93KB

MD5
2a13e89fb3b55ecd711f477cc6046a74

SHA1
1842c38842709a504adf988129be4fb917951f37

SHA256
c28b0a0c6cd48b2f330c6fbd58f453c2c2c109d3980c79bb6a9d55a8b6ce1679

SHA512
c9e0823852e1545f22a0d6b946e1de7c4433159b337940111a31b34b95510ff10b14c1ef4936c1b0d8ea07c7a7a0d9594dcf76bb135ec7427f6261627f1b56dc

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
93KB

MD5
2039748e203b3aa2fa11ca95739d3933

SHA1
f481f49273101622d56b42050e376eb6307728db

SHA256
e256a0db480284f64a960f1d4b28ace258f9d5ab6d474cc608f35849ff462596

SHA512
82ed77183b9ef63675f6b758dea338c57fc41b6522f423195a1ddbf23b143dcfc5c0d9c2c34db27978d0a4a91f3e56e95b5c1e41350d888acf8d989c12763ce7

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
93KB

MD5
aa7c31e14ea73d5c9a56b8f028d21302

SHA1
04d0483120695777535f7ad3bf6f14e3ecd384fc

SHA256
bad460f876a58ca2018ca5766f677bbdb3506984b4a731f918e6b9d3e085e034

SHA512
16377b95f667bb82c05b8f203c91655ed6c4f79bd24df21382bd234a5586abc77e16c0df03386b9d8baa44ee6bbb7db2aa86c24c641c252905296c2438549c0e

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
93KB

MD5
c5d56fa7a310e999aaf629d2355422fd

SHA1
8313ad1e05ebe09b34f97fc295185ed7243cc713

SHA256
7d9df8b67a3e7e7bbf4367a6c539c62c2fa49c73be3eea95ef2dd4739e060ea0

SHA512
63f5b1328bb4eb3925b2e51fe44f3ac769a7c4db4bb32840fa280eabab9e331857f59107c64a84932b2abb09160cdfc7513d7b65f026785b4b62abff8ffb3a9b

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
93KB

MD5
3ac550a66e342cddff0995b007bdd498

SHA1
b769f0e1028c540bfcb22d53f5b7b3ea0bbe3407

SHA256
ca39b73eb6231988de0c3b396d0965b6ef4153f14a5b5c0b802ae50460fab711

SHA512
e752569577363a402ba1910f1d053f985da9f3b9a9a2fcc77099ca4a4108b650529b9c6c27c5be6b99a29f21e685cdf216b37a089f10bb6cf97a8ebca31dab53

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
93KB

MD5
f7ffe35ce9278ce66322c7b7febbff2e

SHA1
6fbcbdfdd0bc42b7acf6397d8327e92097c13849

SHA256
fb52adbcecc4d222bff37427952d80bf4dfd77ebe9baa677be40c4c06e9bd970

SHA512
11d1c9fadf52354ea218b64940a0f51234d234bacd5735df86fa39b9e4be1e445f9aaebac1a2603eebb3f46b8bc0cf07fb55aaa7754bcb81cc1740ee148f7f7c

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
93KB

MD5
debdedeeee731114b4b74c1effd42016

SHA1
9ddfa934e3e44e2035587c049420252f27a8f7d2

SHA256
7668a8a658090b292e548a7137e5387ab98470b8f88509699fa045c4bfb7caed

SHA512
e44811c31db6f01db1ce7b679f244d910ec2bdaeb06fbb97c521eaef4d1fb0c36a66206ec903fa90d5629b4b0faeb01d90cf48888fa6c77aa35c0dee58c3d74d

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
93KB

MD5
7b211c19572eba84c94faf8fb0e1749b

SHA1
2a0e04bac3d07ae1e9f2e0ac681cf5de5428f9a4

SHA256
aeb186f817158d6eb65c80b100a71c8b956e72497dab71deffa9dba2357b4b4b

SHA512
7e8f2b65ceb9b7b3ad75ccfff92d5b55f4334ceafc03003e7912f602d49569e20c7df36d079155bbb8ca10c72551fe0c3fdf3f8d73fda4a7f255fa57e4002565

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
93KB

MD5
4c24513560bb06368f3f402c0967303a

SHA1
9ce0527160e17d44ceb9e9b7b28f6139934ba27f

SHA256
1f0cd0617fbc09201373cb32b2cfccd147237903dcb19ad95df2d2ed53777181

SHA512
3b75a85128efec1560dd049aa6dbe7f6eb811ab4e50f634d2eb28b6d7b04219948f44977bddc0c83dfe78f7e6030a8722cc4cd74da12bd1652a317b4f323bff7

Download Submit
C:\Windows\SysWOW64\Pofkha32.exe

Filesize
93KB

MD5
d0ef843225ab018103fb2717ebda3606

SHA1
79b74ec48cc3f0a4decab8f7625f6f1e61e501c4

SHA256
63710c620bf37805ef984a818f8c803e37a703065deecf7b0763fe35ee8c501a

SHA512
c0730ead80caf357f6a9ce9cfbb551d1c1a67c59318740993dcb681f140a6698575f4fa2b6f75bb2a8ebc4fec04c8b49053c9f624e742fa571d9d22616a5e0bc

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
93KB

MD5
69e9b862e699924537faab17a7b279fb

SHA1
75ef729f2280e9863427f84ba59b7b7bf0ee01c7

SHA256
8dc98985efaa60f699f45cb4c95b7b3125d8a2577efe12f3b3b9971e417712ec

SHA512
4d79ad00097382603fb33d16fe8c7844ba264ac3e9a58a72498e8d568f49df162a8c9722b8c31b2808b12b5e3b980dee005005af7b970d75fa28d6abf855120d

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
93KB

MD5
d260d565d3f9184e4325ba80f6d0893f

SHA1
166350676858e2f2ca3beabc92b9f60544992108

SHA256
770e8f67b7b06663b40610d8711782e9639f55ae9af3b76ddc9eef3cb63bf971

SHA512
23a5775385c4b0f4beb8b921139f65dcea38196b853a8d95a355e2eb59811b8b42c649f966e13038279d5bc1c03985375fdd99768b998eb8351d98e425dd1bbb

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
93KB

MD5
0f8a043173db1984e6164cbd5971ebdd

SHA1
3ad82e4af87a184d8f550b9eba961562f62f54a2

SHA256
fb5d88669b1dee968936fb7e22acfd55be6a79ce35db8ea17f8d70d590274262

SHA512
5c0b306002b825ac998dc7dca849d5dbb8fd255329bb12de1bcc76ee6233043a710a1f67ebdb03fe72b00b4e9ef3ff1c0672ed64f30db3dbbcca4bc66d504267

Download Submit
\Windows\SysWOW64\Mdiefffn.exe

Filesize
93KB

MD5
0a87cd18815a8e674e2a763be1ca8551

SHA1
bfb86cf7b4b1fd1aefe1824e97ee99bb00bba731

SHA256
797d0399df526a21023c68d3b6166c09cedb266810076c48e2c32d214e46c6f4

SHA512
439c2e476e90fdb11f23fe1348cc909d437d74597a75834ae823e65279a2e3555be558edf7355525d0283195fa56baccc5814b6400b9c992c438eb2f4a462d4f

Download Submit
\Windows\SysWOW64\Mjhjdm32.exe

Filesize
93KB

MD5
bdf33c67d0b3ece3e9bfaadfae9fc49c

SHA1
4e09f142b7f01d37737044d511a8dad168719e76

SHA256
f63caa6f293ffb075d1d33eb02d249b0978cdd03b689ebc800ac546f09dee1e0

SHA512
09d6e55332bea7da52819d2e2fdfaa81a68acbffc14336941ef76ca9b6886297505c978400de617b902809e4131c2627121dc2df5a981aed727e9d830e2fcfcc

Download Submit
\Windows\SysWOW64\Mjkgjl32.exe

Filesize
93KB

MD5
5f802e5d40280c1cef7057c6fa633be0

SHA1
484bc03b25a814cf66f49991f13fada8f71337f2

SHA256
315c489f840d701588b42342c430fe79e40a2754aab58ad1c836aa104754b928

SHA512
7c59842284aaf9af0b2c789e21a35fdd716f61e99a38a9138427124797b99ab2becbe4ba9c384b27f40c211f4d9818cb6566bef3024d28f8d1df71c2f63f6da4

Download Submit
\Windows\SysWOW64\Mmgfqh32.exe

Filesize
93KB

MD5
95b735ff072f70d879d0feb2a1409f56

SHA1
22a6f2d2e1046b4bc456c7dc660dfc839eb7805e

SHA256
7a70448dd273f8e7c4436569e4bf1b564441915dcda179d6e5e224b0db53f83e

SHA512
5ce41fd575ae5b8b3035f9adb4a21d5230c3cae0f319d7a533410cf95af7084001856fdc5bca91155ad128e756cabf33ee472f992e6c895699a728230057c76e

Download Submit
\Windows\SysWOW64\Nabopjmj.exe

Filesize
93KB

MD5
ddfcfce70981ab9ba257ae38464deddd

SHA1
57cdc750606f79d372b831cdf66dd9da3cf157fa

SHA256
e3f7e96e12cc003de9b910ee973a88b50f2827af71763cbb032231d750a165d1

SHA512
3a43962e9c754cb38827c6decb5d7a6def7d7e786eb5fee734a785cc97fa95159a333b4e8eee55c5212dae3e21882a67566adabf9bba9cf4c71f963244218e90

Download Submit
\Windows\SysWOW64\Nbflno32.exe

Filesize
93KB

MD5
19cf636cb26923518cce45424d96aae6

SHA1
1b83808544e4db97181211720341cc9c763c4e61

SHA256
46b2f24c7a0932b8f541686a33888a72b6bc4e31acd6dc5ece10036365cc3dab

SHA512
dc0a5acce3bd58cd4c8d849e5c959f6ec5dd77c86408c2484f264d1e511ee04ff361fbb4c1186490831ea6f80874faa2534a521daeeba2fbc61a276d6969b5f2

Download Submit
\Windows\SysWOW64\Nbhhdnlh.exe

Filesize
93KB

MD5
f3ec6f64c443e5b7e37a43d6343c6815

SHA1
6ff5137968c355eb5a00c346991688edcd0a1863

SHA256
cee0c552d1647f92d7097a51ed23b9dedfefa689e680286555d620d96a37a602

SHA512
44b8d589579628991c03b697420c979f2c4a9cfac515e294d62ea71e5bbaa3c51d099fa80f1f7e5a2d8ad70fa5334798a177aad184a25e97e83e50fa69defbc1

Download Submit
\Windows\SysWOW64\Nhgnaehm.exe

Filesize
93KB

MD5
2547e364fa8e976ab2543eef018b42f6

SHA1
51daf93d5b025ded046daaf3938f3e21f0aa3f7a

SHA256
b8ee33021e82df59e187368e694c63e730df889ce085dbdf862a8d56f599bbbf

SHA512
2230c42af8f3fb263c4d6fd6ec17186d046baf1257cb262d937f087215ad0fc3570eabb8db821b68adc3a01e108b47bc205474e5cba9e471a71c2a177c59c12b

Download Submit
\Windows\SysWOW64\Nhlgmd32.exe

Filesize
93KB

MD5
227095632f004a5850addf03b8c04871

SHA1
65310f0dcd0009998cee47bb3afeb25efa685e83

SHA256
e5837f86a59b9bdcd525fbeddcd1267b6b193c1abf914d2a127c98fa24b8b8b1

SHA512
a23bd8e3268f9ba4c383876fad73c0df1d0dc11eadd653fe4a740273936b8b1f1dde77b125525826fed293d1166e01ade5e779e3898684773f7c4e81bf962e34

Download Submit
\Windows\SysWOW64\Nlefhcnc.exe

Filesize
93KB

MD5
6bda0ba42bacb5bdff65a2328e00a94f

SHA1
c9e56bc0d7f221e48fb1e93a11ab72f2848bcea5

SHA256
fbe18a875c9fe39221960b4563d179395a04e6b14f1dd768801fc1cc21bf45ac

SHA512
0d9c53db8bdd3e607844f60a519ab5d65bbf1a0bfa0ee2965c72ee9a5ae8d71987ed61beab283f9c2810cac51c5144d99571786e356c59cd87d1388f7c22f87b

Download Submit
\Windows\SysWOW64\Nmkplgnq.exe

Filesize
93KB

MD5
f9f279148ef274a258d20accc635f5a8

SHA1
f4e6093243e3e9e5aad455fd22d90779b297e177

SHA256
51822e473128c8472f26b8b2a99c4c4a3dfd9d13a881aed5c84fecfbdb8389c9

SHA512
7921c98a21769908408d2be9c28660be7cc7afcc276e91d5b01c935a3bedd8d1f7cd0a3ff758afeaadd73cce6c6a8ec2839b9df686d1c4605cfa73f2b5042678

Download Submit
\Windows\SysWOW64\Nplimbka.exe

Filesize
93KB

MD5
09121827c528e3b6f672b285a5ffeab1

SHA1
72d0b9696bd978818130328ebbe8c22ddaa29d7a

SHA256
38b064d7d249220c5c217b969be691f39834d332cf9a8938e9e006d8d0c17c62

SHA512
1d10ffc89307ae1692d9e0ee9cff165cb4ac54c1e111b27dfeb0c07f56f4aad76d37590a7bd2102e2a8616e06da164500f62e77143c41c0660ca3568155de4c1

Download Submit
\Windows\SysWOW64\Oadkej32.exe

Filesize
93KB

MD5
259df6a54741dcf586363061855a5d4f

SHA1
b2e02f7785df808270563569dc53a0ee53a359f8

SHA256
f2c0153cf8e3805a6d9780bc1b0e724a95112d095823340b722d11b3c4240863

SHA512
17120ab75e3907f6136e2b25ef2e8d0acda002e0bb25232b438b86f42f199f80db9d0baff602bf9948420ce1f9bda77b1687d6d87d3a5f3e6ccd792810f86208

Download Submit
memory/448-219-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/448-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-388-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1032-389-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1032-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-288-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1272-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-289-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1488-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1488-6-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1488-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-168-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1500-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-411-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1548-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-501-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1572-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1620-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-445-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1644-444-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1812-487-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1816-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-208-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1816-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-476-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1872-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-480-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-141-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1944-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-422-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1952-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-239-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1992-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-115-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2100-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-313-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2192-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-309-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2224-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-193-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2224-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-344-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2252-40-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2252-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-468-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2516-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-302-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2516-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-352-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2572-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-377-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2608-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-79-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2704-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-88-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2720-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-456-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2720-457-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2784-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-333-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2852-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-1093-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-401-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2904-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-433-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2936-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-366-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2948-258-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-291-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2960-290-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3000-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-508-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-323-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads