berbew | 95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
Size

92KB
MD5

1797d6179c8d676a4efba1669c550d17
SHA1

3d7099692d9177893c141f618d9cb09029bd94c2
SHA256

95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b
SHA512

8dc0af23c64241e760832356c522439cb56bd8b39059f8572a07446f3872e942e97f4848e34f17c5dd45968ccef03c309adeee296adfefa099f98c5171bc3713
SSDEEP

1536:sYzU7b0d+AM1qHE0ysW4AQ1zlO7uXcNvvm5yw/Lb0OUrrQ35wNBUyVV2:TU7b0dGqHQP4B187usluTXp6Uf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Napbjjom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offmipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooabmbbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkplgnq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piicpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjkgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpgobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnoiio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabopjmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1816	Mfmndn32.exe
2140	Mikjpiim.exe
2640	Mjkgjl32.exe
3012	Mpgobc32.exe
2996	Nmkplgnq.exe
2668	Nfdddm32.exe
2548	Nnoiio32.exe
2152	Neiaeiii.exe
2272	Nbmaon32.exe
1860	Napbjjom.exe
2000	Nabopjmj.exe
2872	Nfoghakb.exe
1196	Oadkej32.exe
1096	Ofadnq32.exe
3016	Odedge32.exe
1324	Ojomdoof.exe
3032	Offmipej.exe
2376	Oidiekdn.exe
1680	Ooabmbbe.exe
2220	Oekjjl32.exe
2452	Olebgfao.exe
292	Obokcqhk.exe
2616	Piicpk32.exe
880	Phlclgfc.exe
2320	Pbagipfi.exe
2624	Pkmlmbcd.exe
2480	Phqmgg32.exe
1304	Pojecajj.exe
2800	Phcilf32.exe
2204	Pmpbdm32.exe
2736	Paknelgk.exe
2544	Pleofj32.exe
1528	Qdlggg32.exe
2880	Qcogbdkg.exe
2756	Qlgkki32.exe
1392	Qnghel32.exe
1848	Alihaioe.exe
2348	Ajmijmnn.exe
1300	Apgagg32.exe
1660	Afdiondb.exe
1244	Alnalh32.exe
1076	Aomnhd32.exe
748	Ahebaiac.exe
2056	Aoojnc32.exe
1856	Aficjnpm.exe
1252	Akfkbd32.exe
3060	Abpcooea.exe
2436	Aqbdkk32.exe
2324	Bnfddp32.exe
1612	Bdqlajbb.exe
2832	Bkjdndjo.exe
2820	Bceibfgj.exe
2860	Bfdenafn.exe
2856	Bnknoogp.exe
2776	Bchfhfeh.exe
1620	Bjbndpmd.exe
376	Bieopm32.exe
1760	Bmpkqklh.exe
1060	Bcjcme32.exe
3068	Bbmcibjp.exe
1484	Bigkel32.exe
680	Bkegah32.exe
1960	Ccmpce32.exe
1564	Cbppnbhm.exe

Loads dropped DLL 64 IoCs

pid	Process
1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
1816	Mfmndn32.exe
1816	Mfmndn32.exe
2140	Mikjpiim.exe
2140	Mikjpiim.exe
2640	Mjkgjl32.exe
2640	Mjkgjl32.exe
3012	Mpgobc32.exe
3012	Mpgobc32.exe
2996	Nmkplgnq.exe
2996	Nmkplgnq.exe
2668	Nfdddm32.exe
2668	Nfdddm32.exe
2548	Nnoiio32.exe
2548	Nnoiio32.exe
2152	Neiaeiii.exe
2152	Neiaeiii.exe
2272	Nbmaon32.exe
2272	Nbmaon32.exe
1860	Napbjjom.exe
1860	Napbjjom.exe
2000	Nabopjmj.exe
2000	Nabopjmj.exe
2872	Nfoghakb.exe
2872	Nfoghakb.exe
1196	Oadkej32.exe
1196	Oadkej32.exe
1096	Ofadnq32.exe
1096	Ofadnq32.exe
3016	Odedge32.exe
3016	Odedge32.exe
1324	Ojomdoof.exe
1324	Ojomdoof.exe
3032	Offmipej.exe
3032	Offmipej.exe
2376	Oidiekdn.exe
2376	Oidiekdn.exe
1680	Ooabmbbe.exe
1680	Ooabmbbe.exe
2220	Oekjjl32.exe
2220	Oekjjl32.exe
2452	Olebgfao.exe
2452	Olebgfao.exe
292	Obokcqhk.exe
292	Obokcqhk.exe
2616	Piicpk32.exe
2616	Piicpk32.exe
880	Phlclgfc.exe
880	Phlclgfc.exe
2276	Pdbdqh32.exe
2276	Pdbdqh32.exe
2624	Pkmlmbcd.exe
2624	Pkmlmbcd.exe
2480	Phqmgg32.exe
2480	Phqmgg32.exe
1304	Pojecajj.exe
1304	Pojecajj.exe
2800	Phcilf32.exe
2800	Phcilf32.exe
2204	Pmpbdm32.exe
2204	Pmpbdm32.exe
2736	Paknelgk.exe
2736	Paknelgk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Napbjjom.exe	Nbmaon32.exe
File created	C:\Windows\SysWOW64\Offmipej.exe	Ojomdoof.exe
File opened for modification	C:\Windows\SysWOW64\Offmipej.exe	Ojomdoof.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Napbjjom.exe	Nbmaon32.exe
File created	C:\Windows\SysWOW64\Hcnfppba.dll	Oadkej32.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Mikjpiim.exe	Mfmndn32.exe
File created	C:\Windows\SysWOW64\Pkmlmbcd.exe	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Moohhbcf.dll	Neiaeiii.exe
File created	C:\Windows\SysWOW64\Pqbolhmg.dll	Offmipej.exe
File created	C:\Windows\SysWOW64\Pbagipfi.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	Pkmlmbcd.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Alihaioe.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Neiaeiii.exe	Nnoiio32.exe
File created	C:\Windows\SysWOW64\Oefdbdjo.dll	Ooabmbbe.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Nfoghakb.exe	Nabopjmj.exe
File created	C:\Windows\SysWOW64\Nfdgghho.dll	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Ooabmbbe.exe	Oidiekdn.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Nfdddm32.exe	Nmkplgnq.exe
File created	C:\Windows\SysWOW64\Kmdlca32.dll	Ojomdoof.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Nmkplgnq.exe	Mpgobc32.exe
File opened for modification	C:\Windows\SysWOW64\Olebgfao.exe	Oekjjl32.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Phlclgfc.exe	Piicpk32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Mfmndn32.exe	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Piicpk32.exe	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Nabopjmj.exe	Napbjjom.exe
File created	C:\Windows\SysWOW64\Ofadnq32.exe	Oadkej32.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Mpgobc32.exe	Mjkgjl32.exe
File created	C:\Windows\SysWOW64\Nbmaon32.exe	Neiaeiii.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	Piicpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Lflhon32.dll	Ofadnq32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	2004	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neiaeiii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabopjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofadnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piicpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfmndn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjkgjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnoiio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgobc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikjpiim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfoghakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napbjjom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkplgnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olebgfao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooabmbbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olebgfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll"	Ojomdoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll"	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll"	Offmipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkplgnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll"	Piicpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofadnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Napbjjom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odedge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obokcqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll"	Mfmndn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcilf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1816	1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe	31
PID 1976 wrote to memory of 1816	1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe	31
PID 1976 wrote to memory of 1816	1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe	31
PID 1976 wrote to memory of 1816	1976	95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe	31
PID 1816 wrote to memory of 2140	1816	Mfmndn32.exe	32
PID 1816 wrote to memory of 2140	1816	Mfmndn32.exe	32
PID 1816 wrote to memory of 2140	1816	Mfmndn32.exe	32
PID 1816 wrote to memory of 2140	1816	Mfmndn32.exe	32
PID 2140 wrote to memory of 2640	2140	Mikjpiim.exe	33
PID 2140 wrote to memory of 2640	2140	Mikjpiim.exe	33
PID 2140 wrote to memory of 2640	2140	Mikjpiim.exe	33
PID 2140 wrote to memory of 2640	2140	Mikjpiim.exe	33
PID 2640 wrote to memory of 3012	2640	Mjkgjl32.exe	34
PID 2640 wrote to memory of 3012	2640	Mjkgjl32.exe	34
PID 2640 wrote to memory of 3012	2640	Mjkgjl32.exe	34
PID 2640 wrote to memory of 3012	2640	Mjkgjl32.exe	34
PID 3012 wrote to memory of 2996	3012	Mpgobc32.exe	35
PID 3012 wrote to memory of 2996	3012	Mpgobc32.exe	35
PID 3012 wrote to memory of 2996	3012	Mpgobc32.exe	35
PID 3012 wrote to memory of 2996	3012	Mpgobc32.exe	35
PID 2996 wrote to memory of 2668	2996	Nmkplgnq.exe	36
PID 2996 wrote to memory of 2668	2996	Nmkplgnq.exe	36
PID 2996 wrote to memory of 2668	2996	Nmkplgnq.exe	36
PID 2996 wrote to memory of 2668	2996	Nmkplgnq.exe	36
PID 2668 wrote to memory of 2548	2668	Nfdddm32.exe	37
PID 2668 wrote to memory of 2548	2668	Nfdddm32.exe	37
PID 2668 wrote to memory of 2548	2668	Nfdddm32.exe	37
PID 2668 wrote to memory of 2548	2668	Nfdddm32.exe	37
PID 2548 wrote to memory of 2152	2548	Nnoiio32.exe	38
PID 2548 wrote to memory of 2152	2548	Nnoiio32.exe	38
PID 2548 wrote to memory of 2152	2548	Nnoiio32.exe	38
PID 2548 wrote to memory of 2152	2548	Nnoiio32.exe	38
PID 2152 wrote to memory of 2272	2152	Neiaeiii.exe	39
PID 2152 wrote to memory of 2272	2152	Neiaeiii.exe	39
PID 2152 wrote to memory of 2272	2152	Neiaeiii.exe	39
PID 2152 wrote to memory of 2272	2152	Neiaeiii.exe	39
PID 2272 wrote to memory of 1860	2272	Nbmaon32.exe	40
PID 2272 wrote to memory of 1860	2272	Nbmaon32.exe	40
PID 2272 wrote to memory of 1860	2272	Nbmaon32.exe	40
PID 2272 wrote to memory of 1860	2272	Nbmaon32.exe	40
PID 1860 wrote to memory of 2000	1860	Napbjjom.exe	41
PID 1860 wrote to memory of 2000	1860	Napbjjom.exe	41
PID 1860 wrote to memory of 2000	1860	Napbjjom.exe	41
PID 1860 wrote to memory of 2000	1860	Napbjjom.exe	41
PID 2000 wrote to memory of 2872	2000	Nabopjmj.exe	42
PID 2000 wrote to memory of 2872	2000	Nabopjmj.exe	42
PID 2000 wrote to memory of 2872	2000	Nabopjmj.exe	42
PID 2000 wrote to memory of 2872	2000	Nabopjmj.exe	42
PID 2872 wrote to memory of 1196	2872	Nfoghakb.exe	43
PID 2872 wrote to memory of 1196	2872	Nfoghakb.exe	43
PID 2872 wrote to memory of 1196	2872	Nfoghakb.exe	43
PID 2872 wrote to memory of 1196	2872	Nfoghakb.exe	43
PID 1196 wrote to memory of 1096	1196	Oadkej32.exe	44
PID 1196 wrote to memory of 1096	1196	Oadkej32.exe	44
PID 1196 wrote to memory of 1096	1196	Oadkej32.exe	44
PID 1196 wrote to memory of 1096	1196	Oadkej32.exe	44
PID 1096 wrote to memory of 3016	1096	Ofadnq32.exe	45
PID 1096 wrote to memory of 3016	1096	Ofadnq32.exe	45
PID 1096 wrote to memory of 3016	1096	Ofadnq32.exe	45
PID 1096 wrote to memory of 3016	1096	Ofadnq32.exe	45
PID 3016 wrote to memory of 1324	3016	Odedge32.exe	46
PID 3016 wrote to memory of 1324	3016	Odedge32.exe	46
PID 3016 wrote to memory of 1324	3016	Odedge32.exe	46
PID 3016 wrote to memory of 1324	3016	Odedge32.exe	46

C:\Users\Admin\AppData\Local\Temp\95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe
"C:\Users\Admin\AppData\Local\Temp\95da5c01cd2423d52335d927d714795814e1b86f850534c6fe8e2d65e9f48a4b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Mfmndn32.exe
  C:\Windows\system32\Mfmndn32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Mikjpiim.exe
    C:\Windows\system32\Mikjpiim.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\Mjkgjl32.exe
      C:\Windows\system32\Mjkgjl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Mpgobc32.exe
        
        C:\Windows\system32\Mpgobc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Nmkplgnq.exe
        
        C:\Windows\system32\Nmkplgnq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nnoiio32.exe
        
        C:\Windows\system32\Nnoiio32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Neiaeiii.exe
        
        C:\Windows\system32\Neiaeiii.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Nbmaon32.exe
        
        C:\Windows\system32\Nbmaon32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Napbjjom.exe
        
        C:\Windows\system32\Napbjjom.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nabopjmj.exe
        
        C:\Windows\system32\Nabopjmj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Nfoghakb.exe
        
        C:\Windows\system32\Nfoghakb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Ofadnq32.exe
        
        C:\Windows\system32\Ofadnq32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Odedge32.exe
        
        C:\Windows\system32\Odedge32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ooabmbbe.exe
        
        C:\Windows\system32\Ooabmbbe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Oekjjl32.exe
        
        C:\Windows\system32\Oekjjl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Olebgfao.exe
        
        C:\Windows\system32\Olebgfao.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Obokcqhk.exe
        
        C:\Windows\system32\Obokcqhk.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Piicpk32.exe
        
        C:\Windows\system32\Piicpk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Phlclgfc.exe
        
        C:\Windows\system32\Phlclgfc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pdbdqh32.exe
        
        C:\Windows\system32\Pdbdqh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        78⤵
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        80⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 144
        81⤵
        Program crash
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
92KB

MD5
77aa9b8c49d45de3647dc418358f065e

SHA1
431906b48f0050cc679d2918202788052d02f140

SHA256
5f7a8afa1de2bfc046cde28d53505ee096e1e6baeb6942bc8f2b4f06442cf23c

SHA512
d9cfba1a15c6f4a0f17820751c8f6fc5559df5fb6c23a883ce1a4f126f2b7c91a0f665c29030c6e12983b0bf74c37ccf0061520a9b641a0878356382d124bb01

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
92KB

MD5
1eb391fa1695168cf273f3945dcba3b2

SHA1
ef261981a82e114be9e691011cc865ac2f223e4c

SHA256
65e6323bbf0de01f020b711866279c469f05ced51e8cd8cd9b00d4825e56dff8

SHA512
88390c71dfd2f6ace2a898b99c82803381718e53fc1c854b377bcb324ee6af7716caa4dd866c7102b31946d1c295c69e712eb15b63a9bfd8c73c30589e946924

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
92KB

MD5
9d334ff5bd49caef0d473634761ca1f4

SHA1
f97627375dbebfe985d60efdd200b61fbb37d4de

SHA256
1b3e7048d2ee5e2edf92038cee65fb6e3e146e8deaa78b6063100020125d1f9c

SHA512
778a9bda9666eb8d418cad98fc0392462ffd0b39359d3c0c7186697c84ed2533ec17b4072e468d4d243a42fb7e8b8325bc1a7b214b875c6725188bc54a9499e0

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
92KB

MD5
264c4fdf81f28678680cfc56d8a75fb2

SHA1
4d73f7ca6663fa59e547b44a3c5b21ba384ab307

SHA256
cd0daee17cd5d0be6a25c65725e1597f10b9f6193b69bd1794ae5b1ed1f868c9

SHA512
248d3bcacb11e1402e6139df00bcbc3c519d2e11a1ba620f4b8bfe1c30f9b0d82c63fed50596ae5cd722a0d0cce3b512be47d394e21a13ebb1dfde9611c2c05c

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
92KB

MD5
b468fdddac54e49cb7cb30c48e453c87

SHA1
6a31bc283dfca7852bae2b2d7dd59148ecb40385

SHA256
567eb2880d52527840fe9bbb018df1d3e28fc6fa75020735719bec7f82bafe11

SHA512
ad46ba2ae22a806c8b49749909b918afd4e73c93ffe93ccfa30e63221a33defc7451665d0cd3b0d83f815a44e687df97a86aa6a535913ea7c988ebff004bd527

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
92KB

MD5
a7e3d2a3ba6b4e88168fcb1aaf5afd8d

SHA1
1f1be6475768d6f8f137a730f1075e2db3a61b46

SHA256
cb409fa87bad277c77a0e0ff42c1d751849fe64c1414c0b630214f01819ca1e5

SHA512
7b0e156088df78f660ea284d834478dfd79946f8fa41e8173a62f9e3850a1da2edd6c7a5dba0f2d8d58dff95f001206ab127ebe061c74eee80bc9950e443e17e

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
92KB

MD5
27bd0ff6694b1a2822004710c696c219

SHA1
bce585a9992c8b1fc812717c7e2ebf25a1603ee6

SHA256
871153425a516bad6a46aa9e30565d2cc328a908338df56dbcbcde880f78e423

SHA512
576b0360c699a4dc3ab0cf0dff7df32edb5fe42014e5ac80d3907a4f49cb98f5d096850e333e9310f5017bc364b1a66b897f15bc0e06620f8dd60364d9865cd6

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
92KB

MD5
8e53c4bcb571ea58cf39292dd5d71b8e

SHA1
fadc892957e06ef9b76ba83d4748251ac152bdaf

SHA256
2425d5a5dc06e1227653d51810fe7dcaee3bfeb81112bff1d7de243b1c211cc1

SHA512
c49b3f7b7a0fadc184e7091966c0ebfe57c43d0009579c1acac16cadd5814412e46c176ae82b9e01849eb5f274523bdb61630ffc69a4227f3ba485b7c90be1e4

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
92KB

MD5
43ce077d4c4000cd889bafc7d248b1b2

SHA1
e449f35f9c4c932723ec8927983c460a4ea9d594

SHA256
91a452291905fb4d9370fc0d51770c63ef656b14d2b1851d5de62374e27e2fba

SHA512
fa884aafa9beddf3d11c46114092293cde2ff83abde68df24be5ce7696f9736e358afeea134fd32a56809828a43c6b32cef0479ef90ef0f63083e93c985c0f49

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
92KB

MD5
8279bf43c7e2e29e4ffa1649bb1d93ed

SHA1
6a2bbe21a85b3762603d2c21f05a5cd452a3a965

SHA256
687b64f1527a8eb7c8a098a3a14b30b92a49b99a90b2d98dc79b52aab208f1c9

SHA512
f363f2ea5f395dad051242d6ddb38a82c2860f2bda27c351404cf983edd44e28c0331800fd8a800e338948ad16aea6589febdd3cd5e224ec5545264fdb3df5dc

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
92KB

MD5
6f9f194a68e64dc8841ce91bd0f379fb

SHA1
0ff20529ed11bb25720ab52ca8f17b89f94d031a

SHA256
34a930db021da3ef8b7b0109f09ecb15f68e49ad5d2c0849750c82d8f034585c

SHA512
02e7427fd104077f4a1e5b92735bbafc1d6eec96dad5f8d18cb9c36087d98d608c57d4a93647acde1c3fc09bbe5484484598e0361f33c93e65b01c96d510f5a6

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
92KB

MD5
4f3ad889d91aa718be010fd27eba7baf

SHA1
16dc65c759a9ab61aef33546794d74ef0503abdd

SHA256
db285a8e747369724de4da1223342bc17a1b69149189998a7c7819895c89849a

SHA512
b67c123124d4f2880d387ab8b71495480927e0937f340bcd79d2adf236998a786dba1c9e09c2521de7530dbb26cffcc000cdaaa524b61dde4b3ad8fdadffd3c0

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
92KB

MD5
cc58b366534edecaba3bab9741f58416

SHA1
36e21ecc84faaa858d20ccfa8a893f319b762eaf

SHA256
1933b246d133ea1f794521289a07b7608d3bfbd25550ae2c2f50fa11bccdff40

SHA512
d67a334c724504ded0edfd940687edef38ea3f574817e36f81e3545830e0169599b57e5fc862c7fd7c9a4123d7e146fb9628df7deda71dad3639d5ab638daa24

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
92KB

MD5
77768cbb86a4b52e82e455b37f6e9220

SHA1
2758d6c4740c11b0262b8e02fcb69976f87f36ac

SHA256
9aa10f445004530331483b338d81d66d8e7c0e63dc5916997ab71319dd77cce0

SHA512
2373edc0a27b3a3e202b8c4eeaa7a6e45dd410bc2b261b212ab86d71ea574e56456f2b1bf35e1c0cb8382eaf0fecf226230521550e9ed6fb907bf5d7d09c3ef5

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
92KB

MD5
c0655336009d053d447dbc9586b7d75e

SHA1
79369534c16f78a3ccce2365ebe9ada9727eb59b

SHA256
e27fd806369f39e1581db33de19274b5f2311d0cb7ef2a383a4d7e924a85c6e8

SHA512
58d7191d91df7744df8e477b951ee4ea51e5b08cec3e80ceedcd47f33b578a0d0760799a6e1a49c2e0e6c902b5e4f16df9c3b5372a70a4941d2042d0d46fb3b3

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
92KB

MD5
d05ad98236f43f22acf4839128cfe2d0

SHA1
9c6d271710fd1a2283e1d5d01e35b464479f4871

SHA256
ed9ae15ce362577a688f7960080d2875e79d60ec792c2cb328f76d84f41b9144

SHA512
108dd65191b1057d47c219bfab460ba694e9df392896ce759170c3c3877ef53fbc0da23a6bfbe7f7778ac05f2792e0ac862d624ae8462aef178d301f7afdc58b

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
92KB

MD5
fc1f95fca706a49d4744c5ee1f07194f

SHA1
42aecfef3049a9094dd46982b01f785bad8b1509

SHA256
495cd3def3bef84a99a28eee316562b54ab278711e23f74acc98ad4df8b5a1b3

SHA512
8d358652dd4a37042f7b86906084522e79735668e577829f9e9fe69de33fb5974a2dc1442d6b3be87d20e718c09f8296b917366070f6bf96e45201d60bb3e4c0

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
92KB

MD5
9067fe5714cd8856fcdbaf09c01185b9

SHA1
04970758a936959849505fb25756eca56447afbc

SHA256
bf6a983cbf4120b903d38aba0584143fc3ad7e4fdfcbd2f96d5159d3193012d6

SHA512
f7b60074ff8dae5b7f076d5400b2cf7a1581cc8f2905031c4054206251d26eb0326038aee95682777a324bcc5316ee18fa21ed2a390540baf4466e05aa7ff005

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
92KB

MD5
7f024b97de001256110410d8f36a7528

SHA1
b43522fb903339a906f02675eacf1f070e3525d8

SHA256
52f7fb22862106641eec27cf99451b622d345cfbd4bbd87845c49b63c0739e4b

SHA512
e7c55ff5575bd838e12dd754fd581b4062339ce6b0cb5a8ebe12f38e1077c9d04f806e969c43528dfea8ced8a87855b1da2d3e464e17b746f2b5671c21ea8caf

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
92KB

MD5
31cd237dcf627265ef88e41f1aab25e9

SHA1
bbaaa2776af9f673f87ac64941ff58d9bd62a1c8

SHA256
5df372e3b4095699ca3ff5e131aa209404c173416b9e6b41c574fac8f708bd5e

SHA512
af63a48bb7d39dc8c08ceb643e8762d24088aaffed78ab5dd85eadd56a1aa8ab01797efab40a31939d1f8e354f62df32777d6eb539058ac7a3a0601813d92d44

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
92KB

MD5
cc62355282083a81441aa84796e96794

SHA1
21674f7ec105a7d80bea6c4beeb6432b4ea8decb

SHA256
53e1935c107322c7d0a8378a51350a65860dfa986335137c109ceda1ef9354ff

SHA512
efe8fa024c7b368e8dbc16d11a99dca38a890b91e0d0b593478a9ef4a076fce8a5e2d45a02cdf6564c2515af3a91d019b35a153b4fe38b2d697436e413a0234c

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
92KB

MD5
3120436c375aca2a9c6572d73f40afb6

SHA1
8f68e89662fac0c7b7e91f5e4e6766100dd9a908

SHA256
cd0644a2c99efea940c74cd6d69070fd36861383a760fbedd0117eaa696d4e9b

SHA512
68b972b8585d63ed5ddaec85b62c0e818d44d6011df8b549570d09f1d7d95bca07d38af1a6e0b1f61adc6abc565a46ac262a5f4840c3bde6968c1e15f58178bb

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
92KB

MD5
d4ed19b60d31ffe7e5f603afa71571f0

SHA1
fd2f6f726c2c8a9b9fdcb4bb2db8d63e0c50602d

SHA256
b57e859aaa12f2dfbc4ff84d0cd161d8c54b5bfa1d3b5551cbbf5863325e312c

SHA512
267f66ed0c7846d92b58740e1e418870578e98a03ee41949505e9a5108a51a92f847c492a4da7f7a7585a688d9bd2ba252dd42a61d1e2ab132a33fd7e5fd9bc1

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
92KB

MD5
d4038695593ea784a2e6323078eb73b0

SHA1
da2c40719f400198fced6857387027d9c380292f

SHA256
baa2df824a33f3fb238636a4a09debc03667ff54c6dbd7e35f9998a5ede681ee

SHA512
8d4b3b621ff83b24fea31bd29a3dbf47709720795d94f121b2b54b5d2db888ba43010e5582d0f1000c6f87a57c30bf86e7e8b45425bd448ad3ff108666976ec8

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
92KB

MD5
4f102a5565f89fd964a2ab6aec2b20d0

SHA1
e11114e78710b5eed617343ff1e44f1bb89f5b54

SHA256
4ed9babbdef758a5c487fbebb5a12a76b5ff835d44352be19233421faff4a47b

SHA512
bf946765a6e5b602405a125f10e47534ae3ef7c46add7e5059e4e0f5736396d8af168c457984b39e97762c6f545499670282e7658ac51aa4debf1150d5cf97a1

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
92KB

MD5
5b6dc1dcd6f40879c90681ec55eafb9e

SHA1
d1329376ebdb0deaf257b05e2f8bd9e5ea150af7

SHA256
6a430ad84a452aafe174baade52324131ded81d938996702f6d6f71e11317f26

SHA512
62e83e7e7778eae75cdf8cc7a608c1660e1259ab77d25637bc3d9ac172f022eaafa7f1328d8a5873cacbdef7c94b95589fef233b25b4328605375b50a1e0a988

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
92KB

MD5
05f162e21a69bd384e257d7a62f53403

SHA1
88e585809392e5d27072aa7068d00c0b8662a209

SHA256
cc3931bc2dc21c6d66e66ee35b48dfdab7954115887aa1046b5cec14a04d627f

SHA512
2bd82900815803ad140a4418b75190196525553f6cc9f9c86f5b5c3b9730cecec2950063dce040d8b92df48eab35a33e54f68fdc618f620b7dfd323d17d68504

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
92KB

MD5
e4e68c8c995b9f0fc1163a21fda49911

SHA1
1aca971067f9a0691755b35ddcaafa0a5646e696

SHA256
4374f83e492bc11699e33c18b6e01285615cfdceef3ae4537598712a3082bcf0

SHA512
841a5a702c43ffc81c8bdc4cd9f0b0c46f982fa14ae5bb6eec0e601ac03ef46a548ec3df889fb5aa479b0760b5204a983fc810ae862cbdf55c7de62a9963b439

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
92KB

MD5
c6a784360aeb346b16c0479bdc6704e6

SHA1
809f9bf8d4eeec70b2236d5cfcf607073c916051

SHA256
532e3b60cdb2b421cfea632f8467a9a15ae6f0f65d91b198d2c24fe9ef4260a8

SHA512
6fa8f2a39c8f5e693fb4a9fbb466b31f91aa4e414d857e2c607954b2c22357227cbbf415f3ade73b39b20b424bae27e240c1b9f285e29a67eb177bfac8664697

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
92KB

MD5
532e9665bd2352553a1bfea99b168939

SHA1
dd2311362db4edaeabfdd6450c437414615b0a96

SHA256
eb9b22fc84451a494de688ed8beb230a24c8be7a19ccbd6b27f90172d1cfd399

SHA512
5b49499ae4a7d0cb2fe4456b64666c762e591ec41b9e7ce29083ddd35066bf3e7b4eb6550411ba472c908b1f9858243c497c5a67cc2ff07f870fd89de80d5270

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
92KB

MD5
755cde1653cff8afbcd66fba1afcfdc4

SHA1
6c590b0eacf86a02046c5fa2f8a85f15d18fa789

SHA256
4d37cd7f47d2373a905239677981443dcd9bedbcb5d63cca8a909a7f494c6859

SHA512
b7cfd637197c12095f1b4e53190104785094b3ecacba299c5850e9b1d5da7cd32828c78f476c120d3ec5010bfe2cb6002aab4172b9edafc16943c23e31982c80

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
92KB

MD5
081ba30d0fdbeb0efb8bc803df4a913c

SHA1
dc5aad6e7181641387ac3758395b2e5edbdf99e9

SHA256
80996239f042b271d38d981e56d25b25d528e7ace1eb10181e296e93087f10da

SHA512
1bf84beb4b2c0cf6226cc038d38f715ee7183beabf00477183beb55639c939e0f04a32b29dca042b6f695a155ca0701c5068b598a2a4fbf34eece8010b2f8482

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
92KB

MD5
cc4b841dfd4736bb82701dd7703fa1ef

SHA1
fcbe1c40750e8657f127ed9022947aa5ce7bac37

SHA256
532ac2772af1974255bd9dc824e7690ba61d2ffcc24199ee7e23aeea15855d49

SHA512
df9e54bfea0a16ca0ab0ff05c95946d88bf952747cfe6271ce76336304eebeec25af7e42a27fd7613932dc7055cbbeeaf2ab5e84729bdf387a4a224e5a380bef

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
92KB

MD5
d794c61585dbb5239dcec6889e0117ce

SHA1
730c7bbb769c32e97d3a1352d73e50557c6c1142

SHA256
690bd4bf347b5dbd90be02423524dad2b3163d3cd778bd9db09f9606456ebca1

SHA512
891b78bb55a47f917a684a7f8e01f5dd93ab438ebc5b1dd05ca16c65b2a4f2aeed79d165a9ee553933001e78ba7a235e114236762e58cdf881d4dd7c05646bbc

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
92KB

MD5
402b18553ce742068b9ff9af1f4d595d

SHA1
635031396557e661ac3a13592ef776365f9f75cd

SHA256
10882b57ae2653a6457630532151c7715f86e1b8f8fe77e4f523f0c0a548d0ee

SHA512
53adb79c7b01bbfcb2a83568d61303a1066af8b013b0938a0863d42dda788c406bc5cb6a1aa013b14002baf8f11a14d3c69e6580f484258eae425bb6025064c4

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
92KB

MD5
d377a36222ae86df28c7c4924a6a03b1

SHA1
219fd3683bd5e32919c8efee5219f508b55a538f

SHA256
0d3fa7b8a05101f8180aa124efcede38ff72e8760f5c82ed15daadcf6ad75783

SHA512
96dba6d6aec7e03b8a02b5d2a21a8c4ce91d4f991ac7b0142a3e0b509db07246e9d335295f51e013bb22d8d1b5ba9033757a04bca0d43effc7bcd8fbdf334365

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
92KB

MD5
5020da0470bf3830417ad2d4b7167d89

SHA1
abcb4d6f2cdb37a230dc6f182bd78a1c4f954d09

SHA256
fe4a8a7c06042a24ffd2904f1d78415495be3b60ee0e266cf9b300b8fbeda91d

SHA512
9291b639452dace36ceffe65966b50ff44e87f6a968dce6cc27f3c4295a1892509393c3d758080372794c2b91646f4bbc160d4db0926769fd1d38b11659f5c9e

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
92KB

MD5
0a373bbcb05fdb69034aa9c8283b98a8

SHA1
cb500cd20cbd3d11bda20444e60b7299efe30747

SHA256
06c2e0e242eadfbdebe0be4c03df85f17f31fc38d2dd88264359e309a96e6236

SHA512
af3dc3633f2b41d29cc4960379a5a5f0bace889749b64aab65e750bedf372b40a99d23c9ba3719377b825f1e0d9e480d437bd739d9aa3aab040f83df14cb77bf

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
92KB

MD5
def5024f5f29f74a3842c929c9326751

SHA1
953be6ca206a4fbdcaad6bdc071b592620485abc

SHA256
f5fb051e1d2a476b484ee8b56bb1d04fd7879ede4c2037ac0cbe765553dfa6f7

SHA512
a35b98d44b2b2fb99d889dc444f6f2de4439cdd5f10f3eadf6f510108313a3dcb7958151fc90aa5caff54416342050c57a0fe39c5f6cdb8428fa282a6624d471

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
92KB

MD5
553d5b13fe21cc58f7b6acb0f9587848

SHA1
6d00e28fa84d3d3bfc925f5f7b3b6c39758cd020

SHA256
2076ec979df8fff2503bf22ce17ec90a90a4985a9590f5181f5b4bc8494b7f85

SHA512
da7f350d69a3d15b38d94a4d9c4a69608cd8a8d244dd9997972a45a62ade37a53a926d4142e5042ad427fa24c76b16dea4b75ed2c5047fcad8dfdcbed3c6a816

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
92KB

MD5
bd98e84f57e3a0bb60e743748a1fb73c

SHA1
a0744b57aacc60bbdaca09828bd4e2d2325f9f60

SHA256
362b342538ed3158704d3088d79c98e2d2450e2c8b6af546234daafed084484b

SHA512
80db60100c9bf9c4829b1934b17fa5fecbbc83745371e3537b3f32512f0be55a42e16481e915a07af47dddb187d3c58af9ee70c5474444f34f5a9db65f7ea8a4

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
92KB

MD5
9179ec349d7473141e855c0994eaee72

SHA1
2b39f980428f8be414c8673cb89d8385018e8667

SHA256
30ab9113bf3e160b83f8cb0c77ec5cc992450825c327d3522519617636250059

SHA512
70d4d6efd13f4ff8bbe56c4869d4ff6cac8dcdcc743351cac5dec2e92f5d6393c50b588ca13dd47ee0bc44d41e7ed59f1428c332d484365be5fc867ad90b52f2

Download Submit
C:\Windows\SysWOW64\Mfmndn32.exe

Filesize
92KB

MD5
be0ec457d9432538bb5567e575c1bf49

SHA1
46a280ab6b604f4a9f92440b57562f472862214c

SHA256
ac5fd4c858721f3161cd9d5bfb8bf06326284db5eeaee4321d4dfc7d2a881a22

SHA512
3e1cbff53fe56439b1f8790dc4b59e2dc4d99a95a7a51d304204b36014eed6fcf4b2df0163b12611eea09c797660747c7377b6906478e99809dc881bba001d91

Download Submit
C:\Windows\SysWOW64\Mikjpiim.exe

Filesize
92KB

MD5
496320246a5170b7c325db496282fe7a

SHA1
2f1db84d31fd8d9c9d65a94f3021a36b7f1ac283

SHA256
ea3c4f9974aa0978e6425b3b1e7edc434c819f1d8958ede367ecfcf7176819ac

SHA512
dc44c1a5f9267fd700b35665fb588ddaea4645995e680c592b599235082545a521b1e3eb10083c3d49b1c23c3ebff314cf625d1da5d7e02d80ae425eb876e852

Download Submit
C:\Windows\SysWOW64\Napbjjom.exe

Filesize
92KB

MD5
d64c154947755eed3dcbfb8045db96e5

SHA1
187d6ff7095eceb042d4a0ecfab8fd6cffda8343

SHA256
5504b9e2b29a42d1ef689469e28491836a558c00aeecad22c8d27059359b54a9

SHA512
4c61db0822fe314d5637e9068d4be8999dcf39dc7af111b6b7bf6bcf39cd033430b686bc340298da824a07c6ef9d7d763e490ae51d2ff14fd27db99bf0ab5074

Download Submit
C:\Windows\SysWOW64\Obokcqhk.exe

Filesize
92KB

MD5
55f85551493f13b17a8717c11abb1487

SHA1
7464c012f955984bdae28f4afb015cfda4b4ac17

SHA256
3b32ee31c1947a320fe7c5169d13e9be622cea852e163f6f48fde26baa7ffb04

SHA512
c7a2b473fea6014284c298b5ecda6bb7bad2efd364b8b1c97068dd5e961758e4858f9ab7a14c4ff2f9d5f0178ce1b781ab24d8519cea974b6f26c04101e076c7

Download Submit
C:\Windows\SysWOW64\Oekjjl32.exe

Filesize
92KB

MD5
4a1616eb2ebfad846aa6eb6c44354c47

SHA1
28b1b2fb300ecfb6721e68c96bbc39ffb002dbf0

SHA256
515b63617931031aaab96e4793006de59428af46bfbdb26ac0f6aad3688fe661

SHA512
ea17dbd1805656872c3083d690e10744566702ee8f21f12bdaa8af1ef1a179b465d3dd7a7e8f2620a4087b0d3357351d56e001d25f0012b90f3505bfa1933723

Download Submit
C:\Windows\SysWOW64\Offmipej.exe

Filesize
92KB

MD5
def3b69da5464c424cd93679a2d41bf1

SHA1
8366986acb5578dc1b64732cef1a02ac46f90466

SHA256
fe5f4ba9923806266d6c64f0e932904ec44ec5f4bea0df5dbf4da10cb09c80f6

SHA512
b8a014ab441a01259cf2883ba68a9d56396e100911cddf9e2a3cd82e9e42f85c1db8925668d44ebfa9f5d9e9b090a9c7642d1e041f2f3500c8554f5891c357b7

Download Submit
C:\Windows\SysWOW64\Oidiekdn.exe

Filesize
92KB

MD5
799fa18b76b044e7fc469a473dbab0c5

SHA1
80b975e2f3f28133a33a00abd4686b0691f7a79f

SHA256
84ea644e864b4e8176e6d0577cf51484118991d04847dfe55e762a6f9452952c

SHA512
fcf8f86733dfe2d9799038694e53c0b38418abffb385dfb2c9e9b4de8ed27c011615647046bcd6f0104b83b1045c9ad19a47e3f67d3f35c55c86fa6485fe857a

Download Submit
C:\Windows\SysWOW64\Olebgfao.exe

Filesize
92KB

MD5
94124ece9c2859838fa37e407370c16d

SHA1
4416fa965709556005b4c6d7af45d26a2a5d679a

SHA256
86de409fe18a296f43a5acc2a755acff8a93e63403009da5f82d5d9c3d829320

SHA512
22f37cf18b7f4bd9aab92595a52485125f0b1c8aceeb3b207afc14b89e35af87181438dcf7d5ccfa13a7d33e809f9a2174dace6cb8882b04e703dfa1687a25e2

Download Submit
C:\Windows\SysWOW64\Ooabmbbe.exe

Filesize
92KB

MD5
2cebd657aea9d047eb64e1b74f00d50c

SHA1
b6967a144f6db8a4e9dccd3495f965037e4bf527

SHA256
0c754d368fe8610db8be06b52a57b09e1ef7140a02646cfd5c16fcc85e74ac8c

SHA512
cd28995b38b9ba2f7376ebd6f734366f3476aeb220ac2097c81b0104c92b00b58abd8ae10b914f937cb8ac884618d1d5a037e146c3c48e23efe9d7f0dd75813f

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
92KB

MD5
016d7cc67a9b7e3c5233e7d8a2a4708b

SHA1
eb40541cbc524354a5efb380166c9f259cccf852

SHA256
5d6b3f3365b3f5234551914a806cc6ed8e87ceea5a424ffe2bec30922b2865c1

SHA512
4b82d1f20c777420f43e78789d2cf7192eb9dae9a083e75508ed60873cb4f55b5bfe4efcbd04bbc38236761d2f308dd77139ee5caf4a38328f036f22cc16ee1d

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
92KB

MD5
07a44b9dd8444a597e357ac369a05235

SHA1
66f8d5498610d8b2c1546f5f1747d3b59c0ea6b7

SHA256
5853fb5d80059345ea60722a208582b27b2652b7fa582acba87c6a3f776d0afe

SHA512
ed6cc02f8757ed59633ca1008503a477a318c34857b4942e3bf3cb4f14a66f472a36d8b0cd4f824524edf52dc3136d13c99d408dde64b86519be9fd528cd4d83

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
92KB

MD5
61fed5db8525a7cdcdf5dc2fbdb9a75e

SHA1
5268013accffbc785646bf6fa460e3ed4fa8f8ee

SHA256
08a993ae5bbb7c84c0ccf2cb698d94d61576f2f57181f666e9e1f31b0db97b88

SHA512
633aa5edd08d31b4b5e8f3903c7bbd01f154d22f87fb2b729138ea469e13c88ea58222f5cc9a92317e52ac87201231b54707eecc0f5a8882c5f2ffaec4846957

Download Submit
C:\Windows\SysWOW64\Phlclgfc.exe

Filesize
92KB

MD5
42669c7524eed8292b762edd9c52a9d6

SHA1
69d130d2912c94a7c76d26f2aead67c960f89fb3

SHA256
b7e678e6fd6548646e0cc9458a4b4e60db72e80f235c7f8082bd77b5e2989695

SHA512
39580ec84ecc0102475ccc1580fa94c850bc567da834208ce6d7000cae67c8e5954408c78b8f5ece0693600eed15649d8d017f4328856ce6764734fdd3aec33c

Download Submit
C:\Windows\SysWOW64\Phqmgg32.exe

Filesize
92KB

MD5
dcab0f00ffd82be5865b19c48fe07bdd

SHA1
ab5143b63f044e15275ca80261dc0f897874ff0f

SHA256
018f67cb227f6d3c376e379f63a2580df24804246d2a74af394ed7934b4c3467

SHA512
9c102879ddfd5427c23c0895a449e7e9245521251977a489ae04d93afbd50b8478673e6f89944b8c563f6fb7fbca2172f2c28c3e4403ceaf3b9d1301a8d4ba50

Download Submit
C:\Windows\SysWOW64\Piicpk32.exe

Filesize
92KB

MD5
2a7f44c78304e1536c0433bee0e28737

SHA1
e69d309863184ad4417a71997bc5fa62130e5335

SHA256
042351647dbe851f8c60f325f11169467efa0213656b8a40d2af1e3004f6235c

SHA512
474f66dada3c096a9d864f3ba227c6960e38176a1e0f10d94e448b6bc3f7d45f23d4dd7fa574a703896f99ac03d883ec25877e214956f3bef29093a2fe554c95

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
92KB

MD5
cac98338785784fd644fced4a8f1ecd4

SHA1
2398ea6359432fc60acebab52bc60da8e7673e1e

SHA256
c4ae60623d906a90156424da474386dbca0644027f77a963de3edb90a8090c64

SHA512
781a3cc39230921f41dd882e3cd2fe6f2329f21e2aa67c014f9851ad120ff7a210d96ac640ce21b392d5ba3554568c56f004ad01dcff59239bb310c68b567fb9

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
92KB

MD5
d7a228c602640bebf73e1975adada9d0

SHA1
21986b70b91cb127fb788abfdd3b26e7484a7655

SHA256
df2f1fbf364065ba3b0defc1e05ecdc058612a472e128f3ebe66008bd399bf04

SHA512
e4fb01a6414be7fe3af34376de0178d9455b8ced7121420d60c98d9bc949eb088162b1b8a257f2d3fa5137e7ecd3631342bf4020aa759fbb96f8c6ac19e3a5cb

Download Submit
C:\Windows\SysWOW64\Pmpbdm32.exe

Filesize
92KB

MD5
1598ef2e6e6d449905953a7f0416ffb2

SHA1
a5d2a2ac6acf978ffd8248f85c3d19d130099eb0

SHA256
f3a5045edf7eacca4d05b7ba38439a2fd351dd8c11a52cae0749696ad9452214

SHA512
d75d5d664444e1ef2a2fdc8fd0b790b28f8636b5ab5026b851404bbb3d9b14f14528858c5b0278888b0c1f4c957695ebe07f84a12063e14aa4b20ef5f1efcd1d

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
92KB

MD5
b979c5b366112cc28a54dafda9c6272a

SHA1
2d38efb9365440654556bbb41d62fdb05080a7a7

SHA256
2b4161c72f5474aff80756186ebe79cb076e2097de96e2edbc088cd9352da0b3

SHA512
0b3067c6cc626f4dcf54d06e703499cef390844a85a805f53b0f0cd0e0d02fb83b076606f8293f63e5546fa1681e1dd33f14401aa8d60564aa634759e6696bdb

Download Submit
C:\Windows\SysWOW64\Qcogbdkg.exe

Filesize
92KB

MD5
5f26b53a19614d1a0e368fbb71776524

SHA1
3e67e17cd0a5044e5334ebde3d53dab902a7744c

SHA256
43483e759fa494b36f0531e5013c98c0611e7f970e14f7af2ff71cc81744fa29

SHA512
c3588783283c9443ea75b844ce283be92e59586a95ab8eaa71aea410090ae6735650f69f277703f342303ee6fb8d102b5263040bb50768801a48525deaff462f

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
92KB

MD5
e9bde303e70ff9a3a8b246a168af1c3c

SHA1
2dc1d8e19cf5b8f81e106514dd5ff0402dfbb52e

SHA256
86daf571e780d1879446cae20f29958729585bc30f3b0ae042cded7437c33ad8

SHA512
999a97e19491d5a4718ca8ec8df7453b7c6a270003bbc9c11d3f8f8deed1ed4b9887b2f33447ecc305f6ba98bd5ff8c8625d95919ee8e85025a550bf31b7285a

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
92KB

MD5
015efb123ae63b748147c17451a90f3e

SHA1
537537c5579686b01dc162f33002f42b5fb98805

SHA256
8a2de0e5bbb1667add72c8af41d634de2c1f87d4265a25c85918e4d7e4e3850c

SHA512
0ab2ce8159e9098af07861c641066355373ee9dbe9c1398787e46868bdfb3147cd7f79f4ffc4d79ee0cae1a88033ee82cd61e6be782058ec3c6287779cae52d0

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
92KB

MD5
afe5873f9ef09a1afe35f80504403dda

SHA1
be010ce4c758ef664df59b8e9053a644370d9dab

SHA256
9d47131e7fd63391573bb946d8d4efe8d0ad7d49407c4650158c937b59c107b5

SHA512
9722f9b057de53ae603c08cd568aa99277710006e7eb019ad13b1e1bc98a656bea7227a8508dedcf7f903e1fbab6da2975b38e3b38d00d5829b5bf42447684d2

Download Submit
\Windows\SysWOW64\Mjkgjl32.exe

Filesize
92KB

MD5
e509cb3c5c310694a85f6e4b31eed6f9

SHA1
c8c035daa2fd90a3553e0603df7411a37886f9d0

SHA256
4787049fca368659939c9017bf718a8545e63ad1202493d36921b462e46da214

SHA512
ec832ec876cc2a9a11988745b5320ab138385139cb293918a4f3b4c133183edecd2657d2f9cfc227c6db452baee34fcd9a6d3b557c90bb3370821bf2b712b9ca

Download Submit
\Windows\SysWOW64\Mpgobc32.exe

Filesize
92KB

MD5
792087f8c61a7a1653203f18d570faad

SHA1
9aac2e13b78da436625d0d72e1a624466bf7a0c8

SHA256
274536e85a114cda71006cb943b973b9d97b87e9aac5d78e19cc2c36ec5aab2d

SHA512
9822f7da9b9b8e6a1c7cd01daff95a19b5a6062e1958a38387ba2083eab1161aab2b80fcaf5032b294ce1bd593f1e56b7bce70fff2d0adb304b647240e97cbdd

Download Submit
\Windows\SysWOW64\Nabopjmj.exe

Filesize
92KB

MD5
2888019cb5263550961480530e19548f

SHA1
f53439d6d8889a09de76dbc02f01bc2ea61ebbbb

SHA256
2118992b63aa10a2465e7722ba97598a4a709bcd1faec34b5e61ff46c0cf8cdb

SHA512
d6c3f8142e82c645f1bcc73e430f5bc08a6a8078771e60a53379c62deefdb6d72e9faff4dfb1c4bc69aab5016aaad2ba38f6e18834bd4da7f92f1d4e31a3f23a

Download Submit
\Windows\SysWOW64\Nbmaon32.exe

Filesize
92KB

MD5
fb769b8a5bfec130af7d34e27b4acc74

SHA1
0aec62119b9b422a4addaa06baf55aa4eb8c3484

SHA256
f35463524056482991eb9c857554e5c936b760eb2a4d3a067c8826317dd14adb

SHA512
c7cb051ddbc396340bbd30d906611be9ad87b6a3b9ec9e398e34de1f0af276f5ce384b6895d7616e286118a38e5322d46b0c3ea3565d7d4bfcace889f1870df5

Download Submit
\Windows\SysWOW64\Neiaeiii.exe

Filesize
92KB

MD5
79faf530a686c226456d5f12914a8287

SHA1
906dad9e71665b1c94212ce97dd27581a8a32b8d

SHA256
b7badd672b9dd1b729ff12295f17d8f29bca844058c577e682b6c9a1ef37bad1

SHA512
20876787772dd2734e0697bb3d7d26b29092d0c14bf4b50534e170b52e41056bd521b1c30ee81edf0e81b0dea6e1c81647ba7d9c70cc114251a084e03b62c606

Download Submit
\Windows\SysWOW64\Nfdddm32.exe

Filesize
92KB

MD5
f70a21eefe3d10c54198e07df4cb8645

SHA1
0b23a5dcaa5e1cde07dd2ae92d7a5d580d506a9c

SHA256
6a73b9a6cff5825376de67bfc89d2925346fea9456517669e4218588b4fc5342

SHA512
25053c8ea67c0f5279f80b596c1a3d363eae48d5d865ceb7aa78b45a1de7e2744f79f2e717c78a5707fb9ef46b1c571129f5bbfe9b1df97d636627985c66f00c

Download Submit
\Windows\SysWOW64\Nfoghakb.exe

Filesize
92KB

MD5
ac1a9d2cf093afb7f403a45cba79e9c6

SHA1
927a835a53b5f5733143e2f1be62391d1a1c7e4f

SHA256
844abb13ae4be9793c4ae05fa269f10d266ce912f693b963aa842819ccab1b5e

SHA512
b77fb49d37e516f1e44e4a2795d258ccca2e06da38a0900b149a431ebd21c85b2102848b2ef63767c7241dbe0ca14282a4054ed80cba8dfc7e56c7778419d83e

Download Submit
\Windows\SysWOW64\Nmkplgnq.exe

Filesize
92KB

MD5
54d7fb9a52ff97bbc2ec0e3c8d7a1a9a

SHA1
2e404962f3ed663fef23f824678602407672a52f

SHA256
d1fd0443c9f565859f231d44341f78affc59fdc7487378acb081712a867048fe

SHA512
4d9128580f8fb002c91cec67d8c3cfa43053b72a31bfef402d8f93bb5f8b8c9d03e98d23eb02d1fe9de55a4a77a570d5fcc5fd9cbb90c2f60ae1252548728ec9

Download Submit
\Windows\SysWOW64\Nnoiio32.exe

Filesize
92KB

MD5
fb3ceff473076991a17ef94e6aa2a153

SHA1
8a8367d6210fdf4db9cd00197594585960a7a231

SHA256
69f5bd16a020d49f3566db5897620082c1eb9ef4930aa14e551407d4a88bdda6

SHA512
148dea9359917f60c12ae0b89467bb293b6851900f5387405a7d81eb2cdab39fd6f8791278a60cae7edb68f7e05d9b7290b8aa56333b89274e02e7637f7a6df6

Download Submit
\Windows\SysWOW64\Oadkej32.exe

Filesize
92KB

MD5
5ce19a86e6415679daf43f37d721bd3b

SHA1
a92c4f2c4bcd5d258d72f0744d2ddf1d72593e4e

SHA256
a9b63a7a50bd351009a4e4bf028be5b3197727388d34bb17bf84c3b8a7c9db14

SHA512
9c8753ea3833e2a7a3be9519c22aa72883e7a4b2099f43b794f31d038f6b7b40007031be58bb1e723d87c19b1352da8d9c64e02bc521f44c41cafbdce4061625

Download Submit
\Windows\SysWOW64\Odedge32.exe

Filesize
92KB

MD5
b7821eb374820257d0984c604fe39e38

SHA1
8fd71325a54e9e8f78530e6430bc9c6c49c7441d

SHA256
90c9019f09a74b5ca56dee5fb626c095522f565cc06ad0f02e16b4a18856d8b8

SHA512
344bad0f5006f9d3e80ba0f4bd18a19f7c8f3117249372abb44ff1bf7533d7dcd8f0e677b18e2368336151fc1fe46ebca72000a7445827da7e053df9ba7112e7

Download Submit
\Windows\SysWOW64\Ofadnq32.exe

Filesize
92KB

MD5
604e33804085cf89e782ca2f991e0369

SHA1
a1a0ebb2ab4f0ac0c0ba59f091167f9ba6e55d29

SHA256
3e8004f731f30d632ad35b755bd4cf603a455a7515fa40211c457b7128876b46

SHA512
a6119baaae1e5296fab0bd29a821c24d9447f089c4d418ddb36a3c8acc65371bca744e0e7521bb0deedee61fa20ae3e57cf5324a8e46d12ab2214850377a7ab3

Download Submit
\Windows\SysWOW64\Ojomdoof.exe

Filesize
92KB

MD5
09b79ac8c426ba26dff839856e9eb127

SHA1
7cada72c1db4689ce9d4802dc08faff457b8c852

SHA256
9360541b7e1a82a24577c07ad2cc029a2dd90a382b138a182af11a8bd14a4bc3

SHA512
35a803edecc744d5724c19c384e7da46349ce61d8a8c3dc32dd1b1d7a8fb485b0ad3e8efa37971496ca3b4333ffc3467e25091f86b9e7b24ae5534e3f626ea9f

Download Submit
memory/292-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/292-278-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/376-912-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-908-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-509-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/748-508-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/748-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-296-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1060-929-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-476-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1096-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-909-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-465-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1300-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-222-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1324-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-431-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1392-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-928-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-922-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-927-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-917-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-477-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1668-921-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-911-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-918-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-142-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1860-435-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1960-926-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-12-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1976-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-6-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1976-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-516-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2140-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-34-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2152-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-120-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2152-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-406-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2204-367-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2204-362-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2204-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-260-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2272-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-307-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2276-311-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2320-300-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2320-301-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2348-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-241-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2376-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-920-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-328-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2480-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-390-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2544-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-389-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2548-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-318-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-348-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-53-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2668-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-89-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2668-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-919-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-906-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-907-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-377-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2736-379-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2736-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-916-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-924-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-423-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2776-914-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-353-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2856-913-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-950-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-169-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2872-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-409-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2880-413-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2996-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-61-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3012-361-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3016-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-923-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads