berbew | a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
Size

96KB
MD5

0968987657236b4a3254062d1c75f270
SHA1

854fa234afaba6bdd1584e25958f25e4349c12ce
SHA256

a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23
SHA512

236e9288172b0a9fb09479ce7dcd55cc33a97642ed86f4666112caad3d24ee506c6e88691dcb2a67e1343f6786deae0985d13248623a7dbcf7aa0335515fba78
SSDEEP

1536:LMaCOEVHZFLGTW1vVpjDcTwLJEP8+EttAC/zN6iF2LR7RZObZUUWaegPYAG:L7mHZdZ19RrN/+E3ACrQi2RClUUWaed

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkjphcff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oococb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqoge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2060	Oiffkkbk.exe
2520	Opqoge32.exe
2652	Oococb32.exe
2836	Pkjphcff.exe
3004	Padhdm32.exe
2584	Pkmlmbcd.exe
2556	Pafdjmkq.exe
1728	Pdeqfhjd.exe
1892	Pmmeon32.exe
844	Pplaki32.exe
1880	Pidfdofi.exe
1612	Pmpbdm32.exe
2920	Pcljmdmj.exe
2908	Pnbojmmp.exe
2168	Qcogbdkg.exe
1396	Qkfocaki.exe
1180	Qlgkki32.exe
1004	Qdncmgbj.exe
1752	Qeppdo32.exe
688	Qnghel32.exe
1700	Accqnc32.exe
692	Agolnbok.exe
3012	Ajmijmnn.exe
2144	Allefimb.exe
2300	Aaimopli.exe
1592	Afdiondb.exe
2432	Ahbekjcf.exe
2848	Achjibcl.exe
2776	Ahebaiac.exe
2772	Alqnah32.exe
2592	Anbkipok.exe
2860	Ahgofi32.exe
2084	Aoagccfn.exe
2040	Andgop32.exe
2028	Bkhhhd32.exe
2900	Bdqlajbb.exe
2024	Bkjdndjo.exe
2916	Bmlael32.exe
2172	Bqgmfkhg.exe
2244	Bfdenafn.exe
1412	Bnknoogp.exe
1916	Boljgg32.exe
1964	Bjbndpmd.exe
3024	Bqlfaj32.exe
816	Boogmgkl.exe
3048	Bbmcibjp.exe
2532	Bfioia32.exe
1644	Bmbgfkje.exe
2536	Bkegah32.exe
2832	Cbppnbhm.exe
2724	Cfkloq32.exe
2864	Ciihklpj.exe
2624	Ckhdggom.exe
2236	Cnfqccna.exe
2792	Cfmhdpnc.exe
2100	Cileqlmg.exe
2888	Cgoelh32.exe
1684	Ckjamgmk.exe
1072	Cbdiia32.exe
448	Cagienkb.exe
1796	Cgaaah32.exe
396	Cjonncab.exe
828	Cnkjnb32.exe
2464	Ceebklai.exe

Loads dropped DLL 64 IoCs

pid	Process
2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
2060	Oiffkkbk.exe
2060	Oiffkkbk.exe
2520	Opqoge32.exe
2520	Opqoge32.exe
2652	Oococb32.exe
2652	Oococb32.exe
2836	Pkjphcff.exe
2836	Pkjphcff.exe
3004	Padhdm32.exe
3004	Padhdm32.exe
2584	Pkmlmbcd.exe
2584	Pkmlmbcd.exe
2556	Pafdjmkq.exe
2556	Pafdjmkq.exe
1728	Pdeqfhjd.exe
1728	Pdeqfhjd.exe
1892	Pmmeon32.exe
1892	Pmmeon32.exe
844	Pplaki32.exe
844	Pplaki32.exe
1880	Pidfdofi.exe
1880	Pidfdofi.exe
1612	Pmpbdm32.exe
1612	Pmpbdm32.exe
2920	Pcljmdmj.exe
2920	Pcljmdmj.exe
2908	Pnbojmmp.exe
2908	Pnbojmmp.exe
2168	Qcogbdkg.exe
2168	Qcogbdkg.exe
1396	Qkfocaki.exe
1396	Qkfocaki.exe
1180	Qlgkki32.exe
1180	Qlgkki32.exe
1004	Qdncmgbj.exe
1004	Qdncmgbj.exe
1752	Qeppdo32.exe
1752	Qeppdo32.exe
688	Qnghel32.exe
688	Qnghel32.exe
1700	Accqnc32.exe
1700	Accqnc32.exe
692	Agolnbok.exe
692	Agolnbok.exe
3012	Ajmijmnn.exe
3012	Ajmijmnn.exe
2144	Allefimb.exe
2144	Allefimb.exe
2300	Aaimopli.exe
2300	Aaimopli.exe
1592	Afdiondb.exe
1592	Afdiondb.exe
2432	Ahbekjcf.exe
2432	Ahbekjcf.exe
2848	Achjibcl.exe
2848	Achjibcl.exe
2776	Ahebaiac.exe
2776	Ahebaiac.exe
2772	Alqnah32.exe
2772	Alqnah32.exe
2592	Anbkipok.exe
2592	Anbkipok.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Opqoge32.exe	Oiffkkbk.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	Pmpbdm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Pdeqfhjd.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Afdiondb.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ffeganon.dll	Pkjphcff.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Oiffkkbk.exe	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Pkjphcff.exe	Oococb32.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pmmeon32.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Pmpbdm32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Pdeqfhjd.exe	Pafdjmkq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	2768	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjphcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll"	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll"	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2060	2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe	31
PID 2104 wrote to memory of 2060	2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe	31
PID 2104 wrote to memory of 2060	2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe	31
PID 2104 wrote to memory of 2060	2104	a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe	31
PID 2060 wrote to memory of 2520	2060	Oiffkkbk.exe	32
PID 2060 wrote to memory of 2520	2060	Oiffkkbk.exe	32
PID 2060 wrote to memory of 2520	2060	Oiffkkbk.exe	32
PID 2060 wrote to memory of 2520	2060	Oiffkkbk.exe	32
PID 2520 wrote to memory of 2652	2520	Opqoge32.exe	33
PID 2520 wrote to memory of 2652	2520	Opqoge32.exe	33
PID 2520 wrote to memory of 2652	2520	Opqoge32.exe	33
PID 2520 wrote to memory of 2652	2520	Opqoge32.exe	33
PID 2652 wrote to memory of 2836	2652	Oococb32.exe	34
PID 2652 wrote to memory of 2836	2652	Oococb32.exe	34
PID 2652 wrote to memory of 2836	2652	Oococb32.exe	34
PID 2652 wrote to memory of 2836	2652	Oococb32.exe	34
PID 2836 wrote to memory of 3004	2836	Pkjphcff.exe	35
PID 2836 wrote to memory of 3004	2836	Pkjphcff.exe	35
PID 2836 wrote to memory of 3004	2836	Pkjphcff.exe	35
PID 2836 wrote to memory of 3004	2836	Pkjphcff.exe	35
PID 3004 wrote to memory of 2584	3004	Padhdm32.exe	36
PID 3004 wrote to memory of 2584	3004	Padhdm32.exe	36
PID 3004 wrote to memory of 2584	3004	Padhdm32.exe	36
PID 3004 wrote to memory of 2584	3004	Padhdm32.exe	36
PID 2584 wrote to memory of 2556	2584	Pkmlmbcd.exe	37
PID 2584 wrote to memory of 2556	2584	Pkmlmbcd.exe	37
PID 2584 wrote to memory of 2556	2584	Pkmlmbcd.exe	37
PID 2584 wrote to memory of 2556	2584	Pkmlmbcd.exe	37
PID 2556 wrote to memory of 1728	2556	Pafdjmkq.exe	38
PID 2556 wrote to memory of 1728	2556	Pafdjmkq.exe	38
PID 2556 wrote to memory of 1728	2556	Pafdjmkq.exe	38
PID 2556 wrote to memory of 1728	2556	Pafdjmkq.exe	38
PID 1728 wrote to memory of 1892	1728	Pdeqfhjd.exe	39
PID 1728 wrote to memory of 1892	1728	Pdeqfhjd.exe	39
PID 1728 wrote to memory of 1892	1728	Pdeqfhjd.exe	39
PID 1728 wrote to memory of 1892	1728	Pdeqfhjd.exe	39
PID 1892 wrote to memory of 844	1892	Pmmeon32.exe	40
PID 1892 wrote to memory of 844	1892	Pmmeon32.exe	40
PID 1892 wrote to memory of 844	1892	Pmmeon32.exe	40
PID 1892 wrote to memory of 844	1892	Pmmeon32.exe	40
PID 844 wrote to memory of 1880	844	Pplaki32.exe	41
PID 844 wrote to memory of 1880	844	Pplaki32.exe	41
PID 844 wrote to memory of 1880	844	Pplaki32.exe	41
PID 844 wrote to memory of 1880	844	Pplaki32.exe	41
PID 1880 wrote to memory of 1612	1880	Pidfdofi.exe	42
PID 1880 wrote to memory of 1612	1880	Pidfdofi.exe	42
PID 1880 wrote to memory of 1612	1880	Pidfdofi.exe	42
PID 1880 wrote to memory of 1612	1880	Pidfdofi.exe	42
PID 1612 wrote to memory of 2920	1612	Pmpbdm32.exe	43
PID 1612 wrote to memory of 2920	1612	Pmpbdm32.exe	43
PID 1612 wrote to memory of 2920	1612	Pmpbdm32.exe	43
PID 1612 wrote to memory of 2920	1612	Pmpbdm32.exe	43
PID 2920 wrote to memory of 2908	2920	Pcljmdmj.exe	44
PID 2920 wrote to memory of 2908	2920	Pcljmdmj.exe	44
PID 2920 wrote to memory of 2908	2920	Pcljmdmj.exe	44
PID 2920 wrote to memory of 2908	2920	Pcljmdmj.exe	44
PID 2908 wrote to memory of 2168	2908	Pnbojmmp.exe	45
PID 2908 wrote to memory of 2168	2908	Pnbojmmp.exe	45
PID 2908 wrote to memory of 2168	2908	Pnbojmmp.exe	45
PID 2908 wrote to memory of 2168	2908	Pnbojmmp.exe	45
PID 2168 wrote to memory of 1396	2168	Qcogbdkg.exe	46
PID 2168 wrote to memory of 1396	2168	Qcogbdkg.exe	46
PID 2168 wrote to memory of 1396	2168	Qcogbdkg.exe	46
PID 2168 wrote to memory of 1396	2168	Qcogbdkg.exe	46

C:\Users\Admin\AppData\Local\Temp\a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe
"C:\Users\Admin\AppData\Local\Temp\a2a7f7dd83522126e2ca2d38b320a45dd19c601f9e4c22bcdd36dc78f464dc23.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Oiffkkbk.exe
  C:\Windows\system32\Oiffkkbk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Opqoge32.exe
    C:\Windows\system32\Opqoge32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\Oococb32.exe
      C:\Windows\system32\Oococb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Pkjphcff.exe
        
        C:\Windows\system32\Pkjphcff.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Padhdm32.exe
        
        C:\Windows\system32\Padhdm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pdeqfhjd.exe
        
        C:\Windows\system32\Pdeqfhjd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 144
        75⤵
        Program crash
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
96KB

MD5
b1336e8120ffb37481205e2b812ef3be

SHA1
1c11b5afac37d84642bcc025b253961402e998dc

SHA256
378ba5de987b70e916c25e4b8dd96b898559751f790af0cc22968ec30784ac33

SHA512
5352e34165f4c54c238da68d74251d44144027708eafb5100d65399f2f76315e9c4e95defa8f12d6872231407edf23984f73b08e064a2417f72d1adf4c5cdae4

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
628e45d12fe28bbe210a85c43bc4a1c5

SHA1
b13388809db7aa1dfa7231866511d6a2b808d23b

SHA256
e3f133b9ea2a98282e79735e1a80641ff25fcb814631a3e80d16566dc288a17a

SHA512
54bba416e385e54d016555cd64a1ca793ee89bd00720fabb38f55cbf401d6e49cb698ee4d4c875686a520e52de62af6a858a21f12aadb7cae88471332e09fd7a

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
96KB

MD5
154450cf13925778beb46894719d9a51

SHA1
1c366575c608f312a194e611f23bd7613bef6699

SHA256
136747b7a968fda7e0b633e13f48d77ffff85439977c018c17b96d4695d4d9ae

SHA512
9a45e70f6adff05b90317a3ced366cb7f973ed7da9d926520f2ad90deeb04160f77bbb9014cc2da9a31b94764a9620e07902494b811d90e1f7eedcad3d40a9e3

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
96KB

MD5
c1415885c88c15464aa017cab7c3c079

SHA1
b7213dce77f154a2ad63b4f5a14b1b648500d94a

SHA256
9d85447a9b8e2da29adff895a3177cf0d134b575d937203fc0fda73d3e29c9f8

SHA512
546fcdd5a473896368e9558cbc7b7f4b68d7beb68b532599b47d151abcce03d7f839abe56244f002ea66bf242ad29a74b95730d18d1ff92d725584ae54a052d8

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
96KB

MD5
b45562379422f99e49ff064d6e433cc0

SHA1
8190384f420292ebad5c79246106f3cdd5b3645a

SHA256
7a818a8263c9cb88b97feb1c188128532918a71cb6e309360d19f5f7df6f05e8

SHA512
089c270149117f09bc2a3fd27e1eb908918bdef846f7646ad5950d9d4298ecb3f9385db8a5157ca36f71bc4016b14b35d040f3fe4cd21be378d9b0d870857391

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
f1606287c2168e0a4fc456e8eee768fa

SHA1
ba09e381a312efb69e9393fd4bb87befa2c4718c

SHA256
e08332000b2170a11b0ed1b75f43bb6f02b25a1dd90b8edd68aac91315a9516c

SHA512
4045c128caf61a2053f5bfc3d387ba9ee8c738ca4eab336d9f1bfb0fc03cf274163f62aed4117c8841654ed013fdfadb0f98fa97a0fb8e9f41d2f3444c0ece7d

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
b45a7ac14c89b22d9b020dea574c1324

SHA1
e35e1426df2c83e64772066dae028d8381e7e42f

SHA256
6bd1eb38219429e042313d3c9e0c5791723fdd821c3dc1443a5f834e8d0803ff

SHA512
5546322132936e32b9073da0f26c829888b7ddff4c3dafa34e829addc6a7fc2ff3df2ada64c516de50e8916ca3c56aa6e7aaef3019ebb3f5db2c828cde1f0215

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
96KB

MD5
92e9788e718a67ff7610213ef2fcd06b

SHA1
fedfe7da7d79cc90c5196a919aebe782a1950602

SHA256
abe877c5dc0431bc2d75cc92101c2ada1687e191a770c4deddcbc0dbdac2eadc

SHA512
346d6742a2302d7ce51948c7cfcb161f52d7a7e20294d0769cb59f0451c46b7b680fcbd4cddcb499591060645560f76a7dd5cd8fbd7936fb2920617bf7c0ebeb

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
96KB

MD5
f5b8b5e680c5e3309ee4c8481efc173d

SHA1
d2d22adf54b9c1677e21982ba3bfffc580300480

SHA256
8d52398ffd2fced1ecbfce0b3d60fc29231604357ffb0b1d97929bf94b47bf38

SHA512
1a12d9178e574f9da4d5bfdd474eeef2d4878350cf02762315f18a431091133aa0437f55ebf3c8d38e45a07775f9729f39c71d815ea02dc10203931d5e603cac

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
96KB

MD5
de2952c58c5b51689bdaccf5b1819467

SHA1
361c791e3e1012989aa587ee8a3042e7b965f56a

SHA256
9929c9409aa60eb5481659d3434d7ec58785e6ac9392be23fe9058d4252b1457

SHA512
ed0626bc5ae9bdb8324e2288fbf9436d748d060b211927529f22e1760b5c42cb3b43dd501935c3747ac39a4a9a301f2caddcdd7ea9c423e52870dec3c7714bed

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
96KB

MD5
75dc7a7bd39781d3e0fea9e4ff8dfd93

SHA1
d7d465d11d6d2a35926f4e007e69427d8e40081c

SHA256
2502a81dd3414e5e5e23564d6de0d04fbd532ebb85f1191125687521d4601a32

SHA512
7503b99953effd866630faec9496189f5e805813f4fbf9bd7482795d19c2f3ef5d51ed79ddfd320b4015020a375c050d56cf9fdfbf8bf8d898d2acc017259aef

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
a45e3b45d162eac4b4b8cc320f468001

SHA1
335aa4e3640b5e545bfb573268031857a70a7a61

SHA256
618b49034d4896b73284dae60811b47b225beec56e631fa581b745de23c34bbd

SHA512
6ef7b1cfa1639dfe7ae1abb0597f4b8b9e3665eb399c1777a888c59c98938ff32a5ff79a492b044b9fab1422bd9197795bfacd3b0d41e16a894ae581fc026c55

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
193ad2a38e327c2eeffc45da22716a89

SHA1
28d39434e1fad5c70e1803cffe92ab6bc77d5830

SHA256
0cb924c87f8865a4b41539c8bc09ccccd05a702ccd3b62792b6755510a890a34

SHA512
53766075a741151e2b1caf50492e5ea59dd05fa1ef2949b04295c4995a20407c9c74d783688e39575136b74024630bef86b5b42c0a1fb2e45bfbfb0ed9e202e9

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
96KB

MD5
369730e1e35a31ee83d34d72c579b0b5

SHA1
1b7dcbe2151e828af2e3b58324c1bb45bdd1371b

SHA256
5b5110ac62b9e2f3987edcc1d173bd680750124cd114679f10aef8664dbd0857

SHA512
f39cb61a924d12bc023b07aa9f6d7b81644b4b55be8739276bac5c89723ebda7e04cb9f2bb810b8c0b7fb6775a5d39e34327bddfdf418be8ba56dbe73d4086f9

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
c7f815de54ad59a0b33a4670f3223f59

SHA1
17be2d7eb0d5a408b455a768dbfab6144552ffd7

SHA256
076481298d09d9ad56e91131348c7b510d72ea6406c31eef3d3ade797f5e68c3

SHA512
45cdfe449d1501375e69e5d08856ed3612c23542e0d5a28b9495dbaa02eb043649a6a3ab58e507f8c12121e9f3aa224f9f8875d09ab0d9eb4512af023c334dc0

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
96KB

MD5
f2d376f8d61d6f90daff66925eae3b8a

SHA1
5a57f9cb0c09091261d6f4ee84c8f8d9f3ac9980

SHA256
1fb9e605eb938eb68fb945a5c921b97f219ac1e50d74aabd680366dae954a978

SHA512
3b690d3c1524a9d5b4c5f475d80f1139119cafa444515345b368008d9cbc42de6fe18c2cefad7328c50d82ebea18d311e3836ac5c8c3f00259e5afecc6efdee9

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
9ae8b65f6d06728e971b3a931e301c71

SHA1
03c193417dea86a4829034f32ee6699efb1a95b7

SHA256
82adf0f11c2e599bb2e5f8b1a8fb03345deb5a80a72be9bfd3fc7fb1e726aea5

SHA512
3cec72fb83af277d060f10eab6565ed814480d0dd3a1c8526d7ddd980ea1b6bdfe538ddfcd1e4fa530ef9c9dbd9695644d8edcc35d570632631064579a1a7d04

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
96KB

MD5
b6320544a1bcd22c138abd915eb58cff

SHA1
70d5e8d46944ef60fe8fc97fa92f9ba3cc226681

SHA256
8ced441db6bb53984ac496af91f7781ed79e377c1c7692aab30fb25bc2b18316

SHA512
41dd51c745b8ce5f54d4187f25179f340fa2f9f232b90bbfb39ac26641177571fa3d1dd13dccee6957ca333e41bc9b3d9d46a482f7724b8f6f78597a04448feb

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
7e99f13985f867cf3a65caee2991fa81

SHA1
81cd52e1b9afcf4d55aa2d6feccc5a3bf5b10a83

SHA256
3e2ff47bf646baecc445895d5d43218a2744580596861a7e4e59d945551cf4ee

SHA512
669e57b8255ced787e0635e57ad8c01d8e2ca5ce819fb346fd1992244a2aa8c64d144ba8c2372978e918386dcc731ea09ce5094d318699de400ce47338423bf7

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
3d65e9827ba827bdb3bcec19ec603fe4

SHA1
aa5dd58cf199c6d6db2f1c9d74ce2126d725f1cc

SHA256
21943b4942016f55e93d5fb3ca775343f7242a0b38a2d3a786ef01737d4322d9

SHA512
07899607156e06e6e2e46db2cccce10491016adecc1011fcf747a18742cc5292982d0ebe11047702a4d53081aa01596d9a77df6fd0414173b8aaa20787984d35

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
d3b3be532b209c15cfb867ae86244ab5

SHA1
583d43b0936908b302ae083c02b513d63365b5e4

SHA256
d8833ad450e963fb802d632af9865bb8624e05339b26c84b63647043e30dd93c

SHA512
87c9eb945f54eb1c5aab31267debda2b4388f91fd647d1b53cbec551ed0e5a04985cc4b06869e169ca72bb21d07948ad66f08071cf771dfd536b4426b591e9fe

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
2ad097772d682c2fddb1cb114da44755

SHA1
7eeee853e1af69f0d769373f344553fda128920c

SHA256
26bce99d7d205691c78ca03b2d048e2868c0b91d98b77f6a393002924cb362d2

SHA512
0630936670fc991c194587d61c8d4a2f7243eab8328e56abe83a29a6172644fb900afa5083a37fade02b7e7340c184cbe0c3f61e088a4e4abfb93fb9ae82926a

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
364530cca53e255d5058ae586ca98f17

SHA1
024e19e85eebe3854545dbe0ad00d5a5dae12d57

SHA256
b0d6d5253a170789aef266486de6fceb4b6223fc1ea28d0e10b06dd81d98309b

SHA512
b5c7227c5ef0ef3641f95908ae5f71582337c6279312f74e72c145621596c036e5861eadcdd67c1780770931deb69bc3dc690309ef3858dfa7744d8606ef38b2

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
96KB

MD5
d5dc5bf630375b4a709b387c60e6709b

SHA1
af09815574c6c7e86d6ae644e11e8d63a6516b30

SHA256
0c355ffca712413f1b5a0ee9e95049c2b09394e89671ac9ee2c31b0ad41ab9ce

SHA512
e9a65d2cba6d583e5cbb3ad2ee2f7b3b1cad755c4a438b32a0b247e88c04e7882dcf510f76ae2aac61e40434112f008e35dabaa9c6aba3492c341092e41d51f6

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
f7bc760e8c06dee36f9ef545bda9ee00

SHA1
bc653ada604ef01725b18405c0312d0507508ea7

SHA256
6deec3517565ba8d504e96bad5b2a643f16596b1d5d7065b012e2b633b2cdca3

SHA512
a3d18b6a59cbe80f1f383bddb642ccbef18c624f64c96f2110f0afc79ce3b700161ac9edb11520680abf1efd919a236edf19da8329f0a8a9b268697dbb5a5861

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
adddf9ccef2f9d4976fc4563e115297e

SHA1
56a0dcac04b1b06caad516eaf3c945d1b00264c8

SHA256
bb82be321d78a43d5326c5ac7dda818be0edd38064d966ba2e14fc46025e1e5e

SHA512
648dd5164c4c6f0a51df988319fa68d8c0a4c50f19f9fc25806de78ce73f8cd53119169da100ae24c1f01718db942407e0ef35d802c3a0058bbbad8f64826684

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
3a1a1620a543636237d437d9e05b4e56

SHA1
6076d3bd9b146e663eca0cbfef636ffe6982381b

SHA256
86bfe3bed0442654971fcac9b28fc04862caeb79d014e0540997086b5aee624f

SHA512
e8e4caabc3d8d70f3e662ffaef1808914cf7c4f75c2e8900493d14f70981e1bea6cf14e528e047a9381e3c86335eeeee0c0900afcd612a90be57ad5c1148f7bd

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
62a884a377fd1fe1dcf29407f97d63ca

SHA1
43f4c8a22aeb1c1f4e344cb1a69f8883aef4e2c4

SHA256
2f4297fd2db212ec8a526970a2e0fab0dc27b10947a8101c1abde06055cae5b2

SHA512
1df6256b5bcb2601867e9b3dea937d4fb4d619b55612388e421fdc85e904df07dc94c1fe8cb1b210a9ab6c9818ccd256108c223a5c6a4b24d46c3271a84df601

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
0426d884cb8abdb0c0d5d147ec035c40

SHA1
97863b2f7a67245b2b47402fd8b16d74ef9b86bd

SHA256
ec87af652f716541952c6d315b3e5e018901135643d5a9edfa3e2e267809c546

SHA512
879f4b4248289877b75312f6bf985440e86692438bcb123c720378166a520f975e5bdede117a5b7ccedc74ed10494ff501012ea9730f498c8879ca2a9f514b30

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
36ad64ff31829fd257337d44c5d0b266

SHA1
22425d99edf9ea491f92054ef041569ffcdf42a0

SHA256
f4c37dbfb2f21ca78c77e64dc81b210a026ad2ed2dd5a97306a1130ab500e21d

SHA512
8da1112b12d5db0726c540e56fca68eec841e97a21f3fdc5a433014421590eb27980ba5feb1eaa6b80198cdcfbc37a66d3771fbd1e09c7d9eff0dfd9bbc200da

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
ace8b6a964d81ce9223968fe6d13ee4d

SHA1
4d4085334eb96535254511f084e56cb6f2d2e35e

SHA256
998d0d6b597c3cf990d0079c5f2b92fdde6ef3e926e1e09f15515e48da2cba69

SHA512
4eadcffda3d91c58cb8382be82b950a633d2cc8f8250f05e2afe81cf95f6fc0b994941321451a175cb48076d7bbdd9bc7f14f94c5f5a6065f49fc84380310253

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
c977d20b661a7a982f8d9467e7f253a2

SHA1
cf37209f2f39b013d6ad51bc3b44be355e80e902

SHA256
61258a331580eef6046dd386ef6bb8b511adef2078c78e57f7fdd5d34bbf61dc

SHA512
daa065010e8bf332599c5cfc8620234b5f60c24045de5cd3937aa322242d57df852f1c239d9150e9dbcf318f8995620acbe02aa8b2a7fb418415b33815052fd3

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
96KB

MD5
6ff0fb1683ee14b4a1b74bfbea310ac5

SHA1
55f84727906282211f9f6f1007c616b037110b83

SHA256
904cd011b6789d5817085bca2b4eba6456b3a6bf9a3c4c5505d324a79c6195f3

SHA512
fee04be07746d1aa009e262ce033bb2594ca11e0e3bfbe76214b5a7ee8efb314e50adbe6790d72d590a0377e697365fb908eabf685b7d78c578061d5e7f9fde3

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
13f5583d2a2af1e481161ba54301d0a7

SHA1
4da860df4a045f30d5826a2498185f8cfa99e2af

SHA256
add6b480d79cfa1180e9107c93afd4c7d2361395478228a6342ceb471aefbb6a

SHA512
54a040e56bca8c9881e346d0b31a0a87594c06b5a6987c8ea11aa0a29f640286204e38a19692422e6a4bbeb96dadf4bfc32075b3567fa57b9ae2400651dcd5c0

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
6638dd1c9f74e286c2cd5409c6e12c62

SHA1
3303b9793ced77a313db6a9922a71d770dd5a36f

SHA256
2f5bb7fd65f2e44158d5b6cbf435c5d16edde0a29a9ce761e23c48e565711a85

SHA512
3e718c1e072aa6575a926e1fb3badb7b1057cdd6d3e47ba71aeba2330b1ee925b5deb37d7ec7df966d208ec5f6a34f5bb5d968ca80bcc908e1fe4a739c006412

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
82ccef8eae689bffcc88263fe988d44a

SHA1
4a3ed2636ea99eb52df1a73c9d7524c539d0ac79

SHA256
6b8c06773aa4ed7a4ebcc50e22216428438f3bfe8b710f0596ec02adfac8da43

SHA512
dd875c5d18b0cfa3bcbb64265b08e7a7ffc40fd2bca0aee9b1ca894f3b88a2834f14e4ca7989cee2351593dd79c914e3dd29a25ae47007177275f5ec8816c578

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
96KB

MD5
c8f4a5bcd9d355c294b517943e730835

SHA1
2591445edba4e27281edf69d2f913d4fe34e118a

SHA256
80f76cd666e957c447ced2d1966b92f369ecd4400a1c2ecc08916bf9c70afc2d

SHA512
5fe696d3a5e78a5f7a9723dd5d8aa3c7ffe90c62d24b2709259adac56270e2ba53babf5611e79db53a4ebca05bbe87f43f288111471f4cea1387e4d095fd53af

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
08ee49b0ed2fbf226e69dd8b01b80212

SHA1
57234ccc76b12b7aa07ed8bec49d86915504eb1f

SHA256
c579dca4889b2d058c833f0968db5f701a2792134cc2acec0a0d9e9e6a8946ec

SHA512
6165af1f58679494e3aa086d1d083f8e816d5cf87c06006e1a30df884acc18365af6e4b715d92470e8186119be90320cdbc04dab00707a456447622ebad4f7bb

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
29fc54a1cf506e8de671fa5306910077

SHA1
68dc044ea10efe7aac2c9b9ff0c368407993a3fc

SHA256
55c5b622fbb2eaeea7d67d793b8451b289705e7678d17ff077abf95110b492ad

SHA512
7162f33e9681c9aa5cdedec8bc95d7dee775a6158776f9d61d38f0c328ca9445e676e58f6a09a8c810e276eac6aeac2899ed8bd2e1aed559ee6e4d577524dd03

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
d861db0a3fd8349c2df774fed3e6dcde

SHA1
e3dcd654e7226d32a104b4c8d2da2453235e6be3

SHA256
ff954241b9fecda3611e47be928b3e26c700231306b1583c24dd70e55afc9e52

SHA512
4aeefe137149fc3e38623d606441285a8fecfb56c35f77c47e013f4018bb543edb42b47e290dc8d58d383781d084089b53bd2e20e44cf388b103c44c244b8a5a

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
531678a48f0fa55048893db3307f5175

SHA1
7a635625e3ab6211dad90a0882f2492e59b6c631

SHA256
72583962f607dd76741594df18a4d8123bacf0e625073bcd9909b5d422dbacad

SHA512
b0c7c741920e9335f31e4b3888a85d24c84fe87e6e710ae8e386d1d3ab480aad0b68944f80322d7c4fd1acf4265d2ea4c839aa8a5161a370cf79543097dc1925

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
57ed8befed10ce1fd3efd951d90736e3

SHA1
655fb43e3ce8eba460938bdc742f1e382606bef6

SHA256
55519f4cb5d88bcd60ce9abad42a7ea9eb6b57f6fcd45a4fd05e13447ba03d69

SHA512
6b36e5b1314da50ef40de9f0c38768e30eb23f0e74ca93df0cf988aa0cf233ae3ac9460e93f9be3ccdcf674da7405a0e3d40e730ef838e2fd09f301dae3a7532

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
e6ca6f94120cb92e4624b570c7461fe8

SHA1
5ce3284deb14fc0331f5d89473194ccdf0b754e7

SHA256
c7b8fd40f040f3ae565e97105efa4ab44982a564c3cef8b3d7ee226bba7cbef9

SHA512
43302c73f0c43a51a87e7930aed5f16278404f02c4dc3707cf4c3a78e0507bd64b0d9b6238dc7d378fbb619b75795702fa851d56a4449d110aa14e3f378037bd

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
723d6f98cb312aaec08e00739fbff010

SHA1
a5359fab9fc982568c66300d4e676a85bdb1e1e6

SHA256
475c722296426cfda80ca403ad7ba816a9e1c3ec3ce762d1f654d81e6ee6f718

SHA512
b26da231956b576d509fe471be6b6daba5cf5bf591b299e1b3d6ba46d40f556b98cf2231fee99c9108429211fc4a9301c0934724c158ddde4b35a20224fa46ab

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
96KB

MD5
88931bf2daf0f666231ddd8f9c1484ab

SHA1
3a6c48a4dc9ef94c87cb036d625a8b671ae466da

SHA256
0b48f812429a91cdeae2be53b5851ee1c84cd93b58939180927f8aec15faceec

SHA512
04cc6375d060731de2465058aebe0a7d6dae996c2533ef80ada675135c9e46ed947c8e4462733d9f0c8606e2b3f15ccdd2e0c108c7a1c6654d15772c5f7a0831

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
d3ff5824e4fe7e7a4e4157b88a0adcb8

SHA1
f493463f88940c65feb4e42ca0ca4ecd4269390e

SHA256
294991fb3e40b37af56fc4a828fb51802932625dad7e7cb9ece4be60734ef3c2

SHA512
fc903bd9283853128d9268c67deeb905933c09dc4f07fb162f7b84cf882c437dfbfbeeafd9cf829926fe7dc3d2de461d019a397f12bac1938bc15790d6087f6c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
dff4cdfcdb01ef715dd8639ddcf5c2bb

SHA1
e9afca12c3742bd877faef6cab7eb420cf88e19f

SHA256
6f021159d5dc40f14f2dbe8bb8c28ece6a662e62f4963e5a4782a72c3231b128

SHA512
a2988b5489b3742fe157127fa82f02868c572e20271a9162b7b58bc928ab67f0d2987c33cb596bd9059d9cf97ab52eb50a95e8d9e842f8897c94fce79aa8f321

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
13d7b3313dc1593bb4b85755f0b5b97a

SHA1
a3610443b21ef61bb7410802fb5331d54e952bbd

SHA256
d5e24c9de8b904ec86c549cfe29e9aab02d954ed65b49f8275b466025bed510d

SHA512
330b8dcd2bd3399a07d6867bb539c32d91cafe941ac8b744465f32f210ad80ba28332e8e9f4ba0a559eac9d59f9f27ffbb20dcf9005bfc54233b97b676c5eb15

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
0289e51488454e42590666e53f821d67

SHA1
807049eb242f6acdd27f54cdfad94da57de88c03

SHA256
cb53ddd02956a4f7bf89e31df7cf5fd68817413d989c8bf8278b5ac7a1262319

SHA512
606421ebfb1b9c9315dc8be4db1dbcec3fa4a2c955c774bbbb2f278cb2480fd9abea34800f4467d2a928a48a13eaded0c05125acce6ab2cbba1fb3ebdc68080d

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
1c19e3e11314faadcb5307f28989c559

SHA1
c24ae4a8490a8ea3e1b3d7036e41b18f1cad2b1f

SHA256
0dc05d13e14d103ae7af49df410c7d7148ae4fe669842599a63cc844001fb69d

SHA512
433a7af1dbe5509299f9185c23e4b0bf1632d4e68613305706d3dfd6cf69a793846c62778fce2994ba259ba66b318d86266ecf6fd1f9627440c03d96d48e360c

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
96KB

MD5
b411cfbf1a45e3a9fb54a1f3dafcb9ff

SHA1
3c6de893fee10955d06222fac1c9c96f928aef9d

SHA256
0fe2c408613fbaca442f5c900a393a967c8c45d117615e64bbef60ab84e4829f

SHA512
bd9242c55b23062999c674c7de26728ac870d1193f3550db8577262d03849209d161b65440ae16628cbd536d2a4895665c1de50ff7ec9677613ba70b1b6c6de8

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
2c3c72af53a145014530eb6ac03e22ae

SHA1
8af7b0c1c2d2d1b34f0d0c934cf12b205ab8440c

SHA256
b0551ed152fcdbd18772769810f448438ffb85512759fd8b1eaf0a64a7e280b9

SHA512
ace9aae91237ae40a5c41b95c0d8391a0b9abd2049e2b34840c44f913e0dd5f9c48b553fd380fc2f184d72dcebaa3ccae4174bec3242882a5fc7752b8157c326

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
0611945a3c4a84f1bb481e33ad184836

SHA1
cd67db3ee601e6de9491b7981ae75ebdac3b68c0

SHA256
b1388fca0619d75b1e74d87372ab95c3c423d5e3ffa0d8653c3996bb7df82852

SHA512
8b6bf33a49134139ca32dd3225aacf97b76bb4497b4d5730af730d7f13ac7186881d97981f4aa34cebdd4f693642838872c1719e57cf89f8a8c7371ee6565664

Download Submit
C:\Windows\SysWOW64\Opqoge32.exe

Filesize
96KB

MD5
d3555ed6275a22558df30464026d2d0a

SHA1
f4e579ad1fd3eb04ad3d6d07634f89dae3b2fab2

SHA256
7f6a99861a321db5dcdbc4611e6fe06cf6c2b76ea4246ea26d4843c370137e67

SHA512
829feb79be3f39323b73fdc7d95160b559ee55c20aaecf318cf4b7d60a7a763e8a999150abdef12744f958eff3a6461493d7d80d4b5663e6e461eb8ed5bfbf54

Download Submit
C:\Windows\SysWOW64\Pmpbdm32.exe

Filesize
96KB

MD5
691617cda76bdda7110f8ae2273140f7

SHA1
c673f674785d0e9e6cb6a6b662dbd32d3f9bb9dd

SHA256
c417d37041d8754317fbc2a2f35fed713f06d864a0f139e20008e80b22dd04ed

SHA512
1df172ddd77ad1257b7bc2a295865b510995a66e2637618069403b58720256b612f6aa608261ff44bf2a35c5245b0de826320d6766732b50831a636702502cdc

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
96KB

MD5
3dd742116296ee9ede8b907d6b8dc5fa

SHA1
6668ffc57a603c9b2332b2e49edcae686b5bfc9e

SHA256
e939977f09b1ce321113d253ff8c095a6b74aac8c6df9a4069da05bec7a49889

SHA512
918a6e29ef4467fe0278c8d8ebe808aa98c7ca2b6bac1c5532c2a5d13e58fc939e43c39766910908fcbde580d6b4b671ebb61c518bf049ab85d60b2d3108e10e

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
96KB

MD5
5414c79236c37259924986ec47d2b98f

SHA1
374f4b20324687713d9ece7b5a1aea9d7d6be5f4

SHA256
f793fe432edfce9a8e93faa1283a9dde37d63a62063bbfc1a981e83a28d47474

SHA512
9e1eafc46ee7de6ba98d9b845a370e4d6232513279a78fc77d32acb5d47b39db58d1d02e49916e7814fcf556cf4d608f1d37c4398d2025831fbf8668e88618ae

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
96KB

MD5
b27e7784f3895e72505f702cc0f12ed9

SHA1
e0e17895a0b0fb931f3314f34f1b36eb717214ce

SHA256
0d86f7e965e901dfc18e8b52b7148cca0f7a76c44ad47c2cc79a1c3964f434f8

SHA512
c05b940f8bd2460849a073542718cb74bd6b679b066595e7618a1663287f7fbc2c3f9efbd8d97605a418ed79d052cabbdc044f9acfe24ef4e41cbee14bfa6e89

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
96KB

MD5
9e40f85c5d01965c5e63736f31e5735b

SHA1
b43f52689d6a5a9db451eeb4572e867a23c9d900

SHA256
01743593d878f67893e475d161e918416c600da55c542f7657d5d4df72062742

SHA512
0cb3a1df64923f4f780b5acdebcfd181519a304d557f20e20e022f05971ee24af410913b7b143d9d2527118db1390941f9b1199ed269342113a654fdf54941c7

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
96KB

MD5
3fd03e89da194f99ecdd9fa95314d6b1

SHA1
af4dab8c68d58eb68ce9dc8b66bd123a08d3e595

SHA256
35c7f449b0610976cb59a175d87f141286df00e96757247ca3e29aaafa738307

SHA512
931f598077173962269e4230188a37908351ecfa8f8bbbb783a4f75a94816eb76e24287660d0652cbce0ea4b6e84752d59b8666ea7750c33636307063c7fab2e

Download Submit
\Windows\SysWOW64\Oiffkkbk.exe

Filesize
96KB

MD5
c49db5158d6b8dc5a24dedfb09e16c78

SHA1
e444a9cc08fbaab6dffaacdbf6e8d71c76240876

SHA256
9c87671dcdbc00cf3cabcf7d3f1dbe8c735048f2b62f4b837895d8c382353448

SHA512
f201edbbb584e848147a3341e811fe48d1dafc72ce5d1b7a00fac03eef3320a25eda076e1665ffd1fdc78cfa0c43e9ab8a1c37f2bd63ef6ca0e1c0f839d8fbc3

Download Submit
\Windows\SysWOW64\Oococb32.exe

Filesize
96KB

MD5
16f844a510f8be8f548926f44210b3f5

SHA1
2bd5874695b06a3dd859b08b575cd5a80bda837d

SHA256
0fb5d12af7667268283f32595358f583728a966250298d4b90af2586d37b369a

SHA512
bfd40ba3d0f5dbd7cfc81fa50db82c8aade413b0694df747ff29a92814c5b906571cb81c505687399d7150bece6e023fc51928ffaed9d656412772f05a0eb23a

Download Submit
\Windows\SysWOW64\Padhdm32.exe

Filesize
96KB

MD5
3f5f430e1281df8c173a4668321a04b3

SHA1
01f80209951f085e11f06af1884db2d210fcd7ea

SHA256
0d124d1a4b63837c5208fd24d3c944e9470f098ce39138b96c7d4fa281cda71e

SHA512
ef97a417663fbdeaef7f6d19fdac608361838d835698c4432191d6c7503ffd3c135274bb55208a68fc882011ef728f18af9ebd9ff3d0e12bfb8736cbf621e396

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
96KB

MD5
0aaf55e6e721ae17d82100f006fa5b35

SHA1
36737803590b08f79a36121eb746f87822466a01

SHA256
6cf7c22b8adf018119b7570b34caef6d56cc246bf3959b6fd9efe42fd31b672b

SHA512
7b32bc4cf0dda3f1aaf17df169dbc19e7e8dea1acfe01c9fea86d0b04447bf20dc026355b56a63e5ef0efc0e971d89d7dc1726318a316cee8330e9427fbd9fe9

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
96KB

MD5
e14ca0019eb8b95eadf8b87fe9f5add9

SHA1
1eee62fa0413fa0110be16d4d8f8eb65be007134

SHA256
4474bdad0a26ce1c938a802c76150b86052c173e84e1c54a481130223440f26c

SHA512
f51ca51f501b02405814576a92df447dbbc12e7df2142031a439a82417b5570b39bce8abef5a266af5fbd427e1c5fd556d06af9f2ff7667b85d7066fd4cbfe28

Download Submit
\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
96KB

MD5
a4bf51d4a1cd8562badf5cb912f41dca

SHA1
84e430eb5aded96db67b168cfdd27505c4024d59

SHA256
234a46f1795aa4018b4c63898bf1c9f85693175b34847b9e7a301fcf1f0342da

SHA512
d223e039f49213283612628df2ab0e3122a5a7f74746eb4237e7b08a4d6aea0438f2982109413e0292ab73a9b353c7b71c4ac7c9a1288339eef64e3d565a9f07

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
96KB

MD5
1283739fd4c75aa7ea94731a6c8b2978

SHA1
f1f58d07ecbd0bb67988656b13a4d5b106da869a

SHA256
c053fc2c8bc686d36f2be82fb203e50c73c2cc5969c1dcb8298b797ff7875f41

SHA512
b3b9eb63f22682f5a028a9e061f4a8dddb98eda27c75f55da145f125f5555e5af61ec2449b375278b82e75abb42e3b4fa453a6882df2f347560be6d5fb73fe40

Download Submit
\Windows\SysWOW64\Pkjphcff.exe

Filesize
96KB

MD5
3f913f0602c37d3db64d4e20f0cd2d10

SHA1
86742fd7410ec41402f79cc61f717f6c1b25b588

SHA256
ffcacd0a57086a18d5f42fac400eb8e26947ca35cc2ec7d953b7ef62fdea04df

SHA512
1bad1769bbdb33e804e300679ba8be7f176771a44b651e7a344cd6c258064475e7a6624e8c19ea988dadace0eaf1092f47ec72ee7e1ce1ec9b91758a9518f7b3

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
96KB

MD5
2a5eea9e76d09732a6f944c490e001f9

SHA1
b149807659e4722eba8b70da341b5273480e1d22

SHA256
389e0c87cc15c08e79df6ce410841754ea44ac703c4706255d740ef998e7133c

SHA512
3781efac807750be482180fa85ce747ea0de32a78ec9887fe48cc3be985eb5995d969cd74fd8909eee2cd364c2e0880eeb118692010d1aabf31557bef714fa4c

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
96KB

MD5
4f1b07c93f6ae2dbc3c7b077f3a659de

SHA1
61a0bd2146615aa7434df99f364a402a1b94c187

SHA256
b6ab528ef2de2bc167cdea6aa8ce1292a4926421b57526b879ca51b1b6484280

SHA512
77468ccbfe62a661c9420c6a9319f05abc6bc4c2ebc2092062e2e11c7f25ab6f71d59f01a1e95fe145bb31f82b6b1f441cb94b4d86a5c9d32b7e05f9262f243d

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
96KB

MD5
5d22a7da1b43600b08cf1e789d0eaa8b

SHA1
b87deb4d18aa681f1a7cbf4bb847de20716adc65

SHA256
e35bd2c8848f6ac41dd725b89947af5a8b0ca258ce1b2e5f8c05ad98312b0c5e

SHA512
ab5c3603c128789771df8b6bd6a88efe12b1a634793a15307d12a012a88a979edf6b43ae4a0904e1c1793266e7de1745b2e26bc5208f9e5769cd5d70de1ce16e

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
96KB

MD5
e2f8ec8a6d1f4b432eefe1cb0b1796e8

SHA1
973403a0d780ba6c38c1ff5c2ae49fd09e093dfe

SHA256
28a4ae2f92746dd839d293c6cc38b79b68957a74283a7d7090768d8bae0f1731

SHA512
b10e2f30e93dc62f01eab62e8983bff813a6cbc66d558f3bd5446ea284dcebc7949fd93bfbe9e89c27769ccd06e96a19beba9fa6ee6b6eb483b592e6ba14ac0e

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
96KB

MD5
e781947818cb02b505022d7b470bacfe

SHA1
8a7fa24660e89a041c290570a6d64c9308ac3ce1

SHA256
5c2d0c26243368e81f357601917e3660dd8c6a32cb6a0e985d3705daea334daa

SHA512
cf61ad9d5936b8394580a7605ba8e65ad626dc48328b92db9b737bf44ebaaa625e5c583d0701f1ca076ae6ff2ae50566a131617f23ddf8d8b320212ed88b7f54

Download Submit
memory/688-260-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/688-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-278-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/692-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-148-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/844-480-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/844-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-241-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1180-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-222-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1396-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-320-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1592-325-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1612-501-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1612-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-116-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1728-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-130-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1916-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-448-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2024-449-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2024-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-423-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2040-411-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2040-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-405-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2084-403-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2104-13-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2104-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2104-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-356-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2144-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-299-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2144-303-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2172-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-316-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2300-318-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2300-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-331-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2432-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2520-34-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2520-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-381-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2520-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-102-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2556-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-88-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2584-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-369-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2776-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-363-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2836-415-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2836-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-62-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2836-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-345-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2848-346-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2860-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-388-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-392-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-437-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2908-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2916-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-460-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2920-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-292-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3012-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3012-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads