berbew | 6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338f

Analysis

max time kernel
82s
max time network
22s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe
Size

74KB
MD5

a8cdb06c75369503f633082878e11e00
SHA1

4c037e5c00fb7929980b5776fb863838ef76f0b7
SHA256

6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338f
SHA512

d905df2ea846145a3439643227335bc48b719fec23264f4b7fc4dea3f04024373c8c386bb836330ea6dd90760b64e02584bc677db9302353edd82b3bbc5aeac5
SSDEEP

1536:Lajw49cyg9MagTBAgb2h4hYp3gZ+3oBPrDrs0qkezmX:LiCygZlQYtB3C3s0qbzW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfbpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmfbpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnngfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oibmpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oemgplgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohiffh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olpilg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3000	Nbmaon32.exe
2952	Ncnngfna.exe
484	Nmfbpk32.exe
2980	Nhlgmd32.exe
2788	Onfoin32.exe
2856	Odchbe32.exe
2540	Omklkkpl.exe
3056	Odedge32.exe
1988	Oibmpl32.exe
1684	Olpilg32.exe
2368	Oidiekdn.exe
1712	Olbfagca.exe
1568	Ofhjopbg.exe
1744	Ohiffh32.exe
2488	Obokcqhk.exe
960	Oemgplgo.exe
1948	Plgolf32.exe
1564	Pbagipfi.exe
1992	Pdbdqh32.exe
936	Pljlbf32.exe
784	Pmkhjncg.exe
2652	Pafdjmkq.exe
1732	Pgcmbcih.exe
600	Pojecajj.exe
316	Pplaki32.exe
2264	Pgfjhcge.exe
2804	Pghfnc32.exe
2732	Pnbojmmp.exe
2888	Qppkfhlc.exe
2664	Qkfocaki.exe
2680	Qdncmgbj.exe
592	Qgmpibam.exe
272	Apedah32.exe
1688	Agolnbok.exe
1892	Ajmijmnn.exe
1320	Aojabdlf.exe
1796	Ajpepm32.exe
2592	Alnalh32.exe
584	Afffenbp.exe
2936	Alqnah32.exe
676	Abmgjo32.exe
2104	Agjobffl.exe
1996	Aoagccfn.exe
1292	Aqbdkk32.exe
2476	Bkhhhd32.exe
2176	Bbbpenco.exe
768	Bccmmf32.exe
800	Bgoime32.exe
2140	Bniajoic.exe
2756	Bmlael32.exe
2612	Bdcifi32.exe
2416	Bceibfgj.exe
2608	Bjpaop32.exe
1448	Bmnnkl32.exe
1764	Boljgg32.exe
1708	Bffbdadk.exe
2392	Bmpkqklh.exe
2676	Boogmgkl.exe
1104	Bcjcme32.exe
2224	Bfioia32.exe
1408	Bjdkjpkb.exe
2320	Bkegah32.exe
904	Ccmpce32.exe
1672	Cfkloq32.exe

Loads dropped DLL 64 IoCs

pid	Process
2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe
2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe
3000	Nbmaon32.exe
3000	Nbmaon32.exe
2952	Ncnngfna.exe
2952	Ncnngfna.exe
484	Nmfbpk32.exe
484	Nmfbpk32.exe
2980	Nhlgmd32.exe
2980	Nhlgmd32.exe
2788	Onfoin32.exe
2788	Onfoin32.exe
2856	Odchbe32.exe
2856	Odchbe32.exe
2540	Omklkkpl.exe
2540	Omklkkpl.exe
3056	Odedge32.exe
3056	Odedge32.exe
1988	Oibmpl32.exe
1988	Oibmpl32.exe
1684	Olpilg32.exe
1684	Olpilg32.exe
2368	Oidiekdn.exe
2368	Oidiekdn.exe
1712	Olbfagca.exe
1712	Olbfagca.exe
1568	Ofhjopbg.exe
1568	Ofhjopbg.exe
1744	Ohiffh32.exe
1744	Ohiffh32.exe
2488	Obokcqhk.exe
2488	Obokcqhk.exe
960	Oemgplgo.exe
960	Oemgplgo.exe
1948	Plgolf32.exe
1948	Plgolf32.exe
1564	Pbagipfi.exe
1564	Pbagipfi.exe
1992	Pdbdqh32.exe
1992	Pdbdqh32.exe
936	Pljlbf32.exe
936	Pljlbf32.exe
784	Pmkhjncg.exe
784	Pmkhjncg.exe
2652	Pafdjmkq.exe
2652	Pafdjmkq.exe
1732	Pgcmbcih.exe
1732	Pgcmbcih.exe
600	Pojecajj.exe
600	Pojecajj.exe
316	Pplaki32.exe
316	Pplaki32.exe
2264	Pgfjhcge.exe
2264	Pgfjhcge.exe
2804	Pghfnc32.exe
2804	Pghfnc32.exe
2732	Pnbojmmp.exe
2732	Pnbojmmp.exe
2888	Qppkfhlc.exe
2888	Qppkfhlc.exe
2664	Qkfocaki.exe
2664	Qkfocaki.exe
2680	Qdncmgbj.exe
2680	Qdncmgbj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Pbagipfi.exe	Plgolf32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Nhlgmd32.exe	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Ddaafojo.dll	Oidiekdn.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Odchbe32.exe	Onfoin32.exe
File opened for modification	C:\Windows\SysWOW64\Oibmpl32.exe	Odedge32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Giddhc32.dll	Odchbe32.exe
File opened for modification	C:\Windows\SysWOW64\Pmkhjncg.exe	Pljlbf32.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ieocod32.dll	Ncnngfna.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Eamjfeja.dll	Nbmaon32.exe
File opened for modification	C:\Windows\SysWOW64\Nhlgmd32.exe	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Ojefmknj.dll	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Akafaiao.dll	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Pljlbf32.exe	Pdbdqh32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Oemgplgo.exe	Obokcqhk.exe
File opened for modification	C:\Windows\SysWOW64\Oemgplgo.exe	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Nmfbpk32.exe	Ncnngfna.exe
File created	C:\Windows\SysWOW64\Odedge32.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Ohiffh32.exe	Ofhjopbg.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Odedge32.exe	Omklkkpl.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Alnalh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	1648	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odchbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olpilg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olbfagca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfoin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omklkkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohiffh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhjopbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmaon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll"	Ohiffh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olpilg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll"	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll"	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oibmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamjfeja.dll"	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oibmpl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3000	2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe	31
PID 2380 wrote to memory of 3000	2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe	31
PID 2380 wrote to memory of 3000	2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe	31
PID 2380 wrote to memory of 3000	2380	6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe	31
PID 3000 wrote to memory of 2952	3000	Nbmaon32.exe	32
PID 3000 wrote to memory of 2952	3000	Nbmaon32.exe	32
PID 3000 wrote to memory of 2952	3000	Nbmaon32.exe	32
PID 3000 wrote to memory of 2952	3000	Nbmaon32.exe	32
PID 2952 wrote to memory of 484	2952	Ncnngfna.exe	33
PID 2952 wrote to memory of 484	2952	Ncnngfna.exe	33
PID 2952 wrote to memory of 484	2952	Ncnngfna.exe	33
PID 2952 wrote to memory of 484	2952	Ncnngfna.exe	33
PID 484 wrote to memory of 2980	484	Nmfbpk32.exe	34
PID 484 wrote to memory of 2980	484	Nmfbpk32.exe	34
PID 484 wrote to memory of 2980	484	Nmfbpk32.exe	34
PID 484 wrote to memory of 2980	484	Nmfbpk32.exe	34
PID 2980 wrote to memory of 2788	2980	Nhlgmd32.exe	35
PID 2980 wrote to memory of 2788	2980	Nhlgmd32.exe	35
PID 2980 wrote to memory of 2788	2980	Nhlgmd32.exe	35
PID 2980 wrote to memory of 2788	2980	Nhlgmd32.exe	35
PID 2788 wrote to memory of 2856	2788	Onfoin32.exe	36
PID 2788 wrote to memory of 2856	2788	Onfoin32.exe	36
PID 2788 wrote to memory of 2856	2788	Onfoin32.exe	36
PID 2788 wrote to memory of 2856	2788	Onfoin32.exe	36
PID 2856 wrote to memory of 2540	2856	Odchbe32.exe	37
PID 2856 wrote to memory of 2540	2856	Odchbe32.exe	37
PID 2856 wrote to memory of 2540	2856	Odchbe32.exe	37
PID 2856 wrote to memory of 2540	2856	Odchbe32.exe	37
PID 2540 wrote to memory of 3056	2540	Omklkkpl.exe	38
PID 2540 wrote to memory of 3056	2540	Omklkkpl.exe	38
PID 2540 wrote to memory of 3056	2540	Omklkkpl.exe	38
PID 2540 wrote to memory of 3056	2540	Omklkkpl.exe	38
PID 3056 wrote to memory of 1988	3056	Odedge32.exe	39
PID 3056 wrote to memory of 1988	3056	Odedge32.exe	39
PID 3056 wrote to memory of 1988	3056	Odedge32.exe	39
PID 3056 wrote to memory of 1988	3056	Odedge32.exe	39
PID 1988 wrote to memory of 1684	1988	Oibmpl32.exe	40
PID 1988 wrote to memory of 1684	1988	Oibmpl32.exe	40
PID 1988 wrote to memory of 1684	1988	Oibmpl32.exe	40
PID 1988 wrote to memory of 1684	1988	Oibmpl32.exe	40
PID 1684 wrote to memory of 2368	1684	Olpilg32.exe	41
PID 1684 wrote to memory of 2368	1684	Olpilg32.exe	41
PID 1684 wrote to memory of 2368	1684	Olpilg32.exe	41
PID 1684 wrote to memory of 2368	1684	Olpilg32.exe	41
PID 2368 wrote to memory of 1712	2368	Oidiekdn.exe	42
PID 2368 wrote to memory of 1712	2368	Oidiekdn.exe	42
PID 2368 wrote to memory of 1712	2368	Oidiekdn.exe	42
PID 2368 wrote to memory of 1712	2368	Oidiekdn.exe	42
PID 1712 wrote to memory of 1568	1712	Olbfagca.exe	43
PID 1712 wrote to memory of 1568	1712	Olbfagca.exe	43
PID 1712 wrote to memory of 1568	1712	Olbfagca.exe	43
PID 1712 wrote to memory of 1568	1712	Olbfagca.exe	43
PID 1568 wrote to memory of 1744	1568	Ofhjopbg.exe	44
PID 1568 wrote to memory of 1744	1568	Ofhjopbg.exe	44
PID 1568 wrote to memory of 1744	1568	Ofhjopbg.exe	44
PID 1568 wrote to memory of 1744	1568	Ofhjopbg.exe	44
PID 1744 wrote to memory of 2488	1744	Ohiffh32.exe	45
PID 1744 wrote to memory of 2488	1744	Ohiffh32.exe	45
PID 1744 wrote to memory of 2488	1744	Ohiffh32.exe	45
PID 1744 wrote to memory of 2488	1744	Ohiffh32.exe	45
PID 2488 wrote to memory of 960	2488	Obokcqhk.exe	46
PID 2488 wrote to memory of 960	2488	Obokcqhk.exe	46
PID 2488 wrote to memory of 960	2488	Obokcqhk.exe	46
PID 2488 wrote to memory of 960	2488	Obokcqhk.exe	46

C:\Users\Admin\AppData\Local\Temp\6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe
"C:\Users\Admin\AppData\Local\Temp\6386e18492d41d358219ebaa84962136e56756f97206ea3a4b799c443b1d338fN.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Nbmaon32.exe
  C:\Windows\system32\Nbmaon32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\Ncnngfna.exe
    C:\Windows\system32\Ncnngfna.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\Nmfbpk32.exe
      C:\Windows\system32\Nmfbpk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\SysWOW64\Nhlgmd32.exe
        
        C:\Windows\system32\Nhlgmd32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\Onfoin32.exe
        
        C:\Windows\system32\Onfoin32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Odchbe32.exe
        
        C:\Windows\system32\Odchbe32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Odedge32.exe
        
        C:\Windows\system32\Odedge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Oibmpl32.exe
        
        C:\Windows\system32\Oibmpl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Olpilg32.exe
        
        C:\Windows\system32\Olpilg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Olbfagca.exe
        
        C:\Windows\system32\Olbfagca.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ofhjopbg.exe
        
        C:\Windows\system32\Ofhjopbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ohiffh32.exe
        
        C:\Windows\system32\Ohiffh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Obokcqhk.exe
        
        C:\Windows\system32\Obokcqhk.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Oemgplgo.exe
        
        C:\Windows\system32\Oemgplgo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Plgolf32.exe
        
        C:\Windows\system32\Plgolf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Pdbdqh32.exe
        
        C:\Windows\system32\Pdbdqh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        36⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        78⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        85⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 144
        89⤵
        Program crash
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
74KB

MD5
d87620339ce53551852a605baec8ca66

SHA1
3a4ff9eb6ffd9c47df8ccd38f4996394eca46ec1

SHA256
ec3f5431fa9769141b4382bc3ea4d345cf489cbece88852df78dbc2d73c2654d

SHA512
7319a10129595f7d90f1d425647f7117671578099529538a27dd2fefff744491dd5aa78d396cf336992cae59594e1e5d0730d5a4e64b236a3fffb1e3caea02ad

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
74KB

MD5
411f0c629e3620ea2c0fa4873bf659d0

SHA1
2f6640fe4d7471b73ab5c28242376f2b2a3f4238

SHA256
1c4f7126575715331a728296a7e34591ce759af713d6ce7d6f4a4b6ac349573c

SHA512
34633c564872ec1a352e3201ec432a42216c0659ab6dda8c3e74362cae9f523385f73c47f074db867713c83ec0c4f1124397d025af17d727047f177b54646255

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
74KB

MD5
62e2c03d58ef04ea7e83aaebfff1139b

SHA1
ae8eb875caf36cb1fae1301a01342d20b150849d

SHA256
aa0834061776c14ca8e61fc21d3a6bcc2392a100b4fe08dd659f9cad30639bf1

SHA512
2e6c10f531d20b1cf0430615df331eb7e2639e1c54e591c7c4a9b8ebfeeb746bde71d59e45c164921c4547b202e45d159c508dc70d0cb52e016c3fc97efcc1fa

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
74KB

MD5
a1a44875c864a9d207ebc7d76f268420

SHA1
a0d54819110fbf4ad121956360f9f7c718834c24

SHA256
d217ede6de426177e6c9ae0b5a1f927226ee6971ce5e526ee4762dd2f5504ff4

SHA512
258db9554feb465bb839ada795ffda013673503088bb6a11eeebe79086ea14a5720c11d86b71e01cd999f50952973c1bab084a321a7b1ed85f990055a418647e

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
74KB

MD5
6f3b6fc32adb39b472c936b539486fb1

SHA1
f6f6d527d922506f0c403959acde09a133a7cdc6

SHA256
e429477ce9fb3c7bb8751877dfb585bbe686334b309b9637a2919bbc6a9af891

SHA512
a3151f587643b42fea66e131c92e77de2104baf905950e397530e52ff087ab7e6a4bc24885b3967dc6ad87bcdadff4d1fa6eb47de6d2019a24e43949ba55b9cb

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
74KB

MD5
d97a05d7a610f272e6976bb1eb3337d4

SHA1
91150cd16da858142f83999453a0f0bd5ecce9db

SHA256
5bafc6fefff1f5e802dd42e53dda085e1e48b96c1e867cd2d9aef228f249437e

SHA512
476ca875c51d52e07f8dc8e9592434307ada5b52979e791d6b016a75e73b95409d6fba4204c84edb2af63bd5d24698d6d1d8bf614295a390f5b3b49196d8c03b

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
74KB

MD5
d4de1747b355f8642ff811f57a26bb42

SHA1
3241935a9ebf810b1a9edeb0042337eadc569cac

SHA256
3bda3923c1126bbbc8e8ea710c5f3f88d5b77c01f15f81b2145c20bde64bd4f2

SHA512
31a05c181c599d7d16a81bbe26c205352627a7797125b18ef8e6717b03425a7b375ec48417beaacb21d08ff814c8c0659026308623d2b4430cbf0c5ee2db1d84

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
74KB

MD5
7a19dced166db9a222be05b9b45618b9

SHA1
4dd1447156133f088219a087a04ea0ee7cc9604c

SHA256
8e430b7bd10d80ef46f2e89422a796362c243d346e92f193cb9c0ed03d69328a

SHA512
80a2de06d9027942ce8d9a49dd572a8af9ebbe39dd08f5a52ccad071bca0a3628eb7127969fc3ee176ede75d1b30d0dcc1fed46ecd416607c47268d9a2e1c807

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
74KB

MD5
2573238fdb91702409ec2970bd2fc469

SHA1
089220bde7b359953c876a7231a3968486edbc0a

SHA256
0fe409441ed1b270bd18c2f70adc7bb88ddbbe4c98c20de014e29fa285334fec

SHA512
f9e4dc4e27992558e8af89aca11ada3de2db9b05a0376c887aa1f34f9828a0a209d688770665005ef9859abf9560d75afb315acc3436bcc4d231bec4c7fb8891

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
74KB

MD5
2f5922a7a93831f64abd69170329a18e

SHA1
e91a88bb2aacfae8e958aaa6f8836d97ff9111a8

SHA256
2f7d79c3526c80d56fd05310197caa7b1f16a03ce934b214e5f671ab1b99106f

SHA512
b8b1dcd28baf0222d58404a29b70a6b19d16333b582e925e551f5b138174418b9511197f9e5d27484131f6378c0d1fa63a7ceb0c18306fa6f7d8446075abd090

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
74KB

MD5
23417f9bf0a930f10b663aba3d29051f

SHA1
63bef844a3e383ee2e00cde9e026267b00fbb328

SHA256
b2c9ec7815afef5d1b6463ad8231544a0aff73e842686f475a201a29df267b05

SHA512
ff312c444d3fa16a9db82b6866aa2ea236003c965b5701cbeb3a0225abe98d6cca5ff21415c161e290c0715c82cf99d72cdf1de694005377fdce53d7071501c7

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
74KB

MD5
713e74a5a261d3c4d87eee41a6f1725e

SHA1
a0398f6c66c0d090580cffa1571004ff9491afcc

SHA256
82d5a3d348a146907ecd81f46d5cd21974fce9ccbaee13be6dcb7630b56a1884

SHA512
a37454a466a14c3509c5bbe4b04b8c428ee7699917ba86a0e4b6379e80ba342a8a9ecb450712249a3e7d49f9929950644464683d66f4997c3e50fc473202b93c

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
74KB

MD5
93b506a1e7b54140252b4a4639b27e45

SHA1
7e5c938e459e330778ebfd67b30a6aba6969c116

SHA256
cbb14f72f958921f2fe603a50ef28e503c594a5f6d157e79258ae1870eaa3e39

SHA512
2e2a71db2dd36778f7f7b8ae3878b2b1a797938f25eedccd94e892cf0bc2c62e5da178396e7d8b291a7b860e3e5cea61100047c19964a31a2837e589b5f7fb8f

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
74KB

MD5
d08c9530d824212cfa82901bfaafe213

SHA1
069b48b050825e3a842a99b2843b5b8e943be9de

SHA256
1c0c4cfe116f568b98709c47c685c9493205edf7d81ea48288c3e91ad9dc8cb0

SHA512
f60ff4f602a3356cb1d3d3d1da0b00a3c4e9cd53925b32a9c986ed69f84c421d478c74f9ba28718dc6648ab0f8372abb4a4a8f22bc8ba5abca1fc561a4ff01a6

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
74KB

MD5
fe3df43dea553196b0038f438d0431a0

SHA1
2a3a3b9ff1f2ef3f63231b5e7a4d8cee93acbb58

SHA256
bf62ebb531d6eda939ffd612cb0d856a7c4a41af0a7ec48733ca6e975bc2219f

SHA512
ed6a8040d63eb18f3a4bdd4f1cd6cb701987ac3d4d262c93b7d3e5cb7a3b9673d072900833376a2ee224f5d04ec12c3407cb4c1036f9a97a43ce04e31b35c341

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
74KB

MD5
93ecaa1d51121d334e066d0ebdbe75f6

SHA1
92801238562af115a07a2b998f40d0aa77ef0e64

SHA256
4dfd4331f00aa6b62976ca9390f999a39fa512f28e3faedeaae5d822130871ce

SHA512
5c4d41c5540ffc9aebdb59a5eb3d6de961b7776b57944ed91b58e69335cc0efa3d169177f583525c592944561ad91158c39b6fdfe20efe0b881bab17c4d5541e

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
74KB

MD5
ed1bf3175017a917634c06e50999c43d

SHA1
91f16a5f6994c0df2c94ceda4fdf614890ef599f

SHA256
f265ed4d276c0fd6e84e66022e3f9a90c2b4dd006cc031d15826e097d5ff0dd1

SHA512
ff888819a255e3d3cb037a5ee8ddd72f8815230b14fdb82ed1e8a9f25f04455e1579555d44dbc42dc09e533af48fa3b366815deed7a2b32b87b61625f9086cf0

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
74KB

MD5
ef1c05313cbb56fd61c1e30bea443ff1

SHA1
f34077eb486280d33c6808974893d2be453d3e48

SHA256
cc0dd35b67ad2bc9c330bf027a35c624ed120a9da878a398fdeddf37cddf68bb

SHA512
ca3803681e4e8384e70f007d3b5c5215868ea94d5f1f0013dd1050b7577845bd30858e94fd36e817958c23246372a7f048f596ba3d4b77b576c0e83f8f5b7f87

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
74KB

MD5
fc4dec07b39596d86894155824ad8033

SHA1
854af8a1daa63f9cf1ddaaab676b13d948a2fd04

SHA256
235e99746240c0a70c7217b2bf1287b36cc3cec0f116ddf446bb5eeeecc67eb9

SHA512
7511128c4c2af33760ba32f7c4cd8382d40da085d7a7621c31f3d3184ebb4250f8d9d2759539997c4cb133a6d39ddfdcb77738966a96d8ecaae4f87ad0871fb7

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
74KB

MD5
ea4e233fbc4584e4bab5c5341e48a81f

SHA1
f8e7e771dc09d8b199ce6b6396804f940a6da358

SHA256
e75d3646ccb4d2e4078392ac9002a2fc2186c1ec15f2521d0824e9ae8ff5bfe1

SHA512
7e49d7d6299e61bcbba35a2e17e21f480254a46ab6fad8b56a10c85e75a717fb928544fdf0654cfe259bfbdfdf557e14d70483999bbe17bdaa374c11d297949b

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
74KB

MD5
a9a6dfb655068977e6542e2e81237479

SHA1
d7ee329b31cf858cbe4efc93e31552987e1bc289

SHA256
72abffea2e370975e86b06f5cce37622c1d25212b4adb3548f294f6be43bbf05

SHA512
2033360a7e14ff2bef3277b6bc5d26eb64463a9589d2db0b2815ad381a6ba7cb1342234a5d6a5437909fc9ed7d32a47a521a215c76d65b136978a8d608eeeed7

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
74KB

MD5
cb7aae663b0117323e20aca296ce8a43

SHA1
6b26595df8cb5c037d4223d91b7a73c1810f15db

SHA256
89284329f67a6d209895a5ab0a93b3c46990e66028138e7ec0227bcf33cda409

SHA512
b745d68c474e0a2899ad8097eb59141516fbf3695283e8b8c9bb38f59da34cce6dac26554c924305b81be41d938f8fa112dfcdbf15e64e95806d50d75f301ffd

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
74KB

MD5
147b74c697f2741dc6f8d01f01301583

SHA1
be6c4355abaacc87d702ca4ccf9c0f153e0abbb0

SHA256
9628fe0d895dbff54c79aa5d76baf8a7b8bddfdb873c2141724a4dea4e945608

SHA512
292cfc8d18a4616a3f1d83ce42163aec4e6d03f7f9cec6dc150dc1c63ba129f11e9a5843ff94b67aa3de6a1fef82a17a58a570599b2802686aff0bc69977bd46

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
74KB

MD5
5c5759c9f2bd6b47235bf237dae89bf2

SHA1
ac5387c5bc1f61d652c124167cc960ed98d26708

SHA256
1a33616730f0b9d61ebb82588b404a8957ec2219891ba576a4f1ee4af65f336e

SHA512
f19ae7e45bc920408cc26a99f17e85df894d1d166f89063d8f40896d5d5dfe7edac6bb7040ea10a7611f13f0065999671e04cf2cef838f836d951d927b199956

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
74KB

MD5
891f10d152edbe95824d9ec26084e0b6

SHA1
1fb72f48fb67253353340c40d2dc0dfaa8e3d557

SHA256
40fb28120d19c7402a2e0127ae76553c2c21c80fa7a4656a56a307b1137bb727

SHA512
9428dc131e8d3aba7b4f5f431f24e416801a8728560e2d9a5c2e0d5c4bf99514124704aa2610dde8c4363ee7468b1559c0b11051a482d30bffc0bb3a9a23e07a

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
74KB

MD5
dc1bf5cca243b3c1a9c021ced0b5dca0

SHA1
b3ba109db70c465b5d8013cbff88c7b307289fd8

SHA256
68a89583968a849fe2229111dcdc55c9bd20f93f7a5f581e709a8a3e53637f4b

SHA512
ef86799e3e24f0df82aaf2729aa5fecadc597ae121ccbe2ff805d4c9f63f02309328a1594ddf15933b613f6bd8a513a9c2850815a078062cf05add922d4155f1

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
74KB

MD5
8b5bf0198b37edd882d068c72ee47787

SHA1
20384ccf9c77319de4a7088a95c5425dfd9f1d95

SHA256
60e5311210a639be4e1df2e5eb9c9d8d5f71709160324659d8a4b7f061ad38e6

SHA512
ad38a3cc03b12f0cd930579f6fee91a1142a2349cfdef685e89b160e5b351671d4f6525597efe0b6f18bc7336f2b04bfbf54df348a2ca9b22d3cf96058ee2f39

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
74KB

MD5
03c4ad42daf5c141d761febba3e5825b

SHA1
1aa71aee901d228e7440a5401e93cfa2b1b39f5a

SHA256
e6dfad3f7fd82b92d74ceb5a5ab5e464961d806cb1d8c93197f1527c7c5c33ac

SHA512
939d383498067de5f57cb40cd0a75395308b1ab7372116e607120e3f093816495266772db9f3e07e3daa94e475ed51fdad6444f3367c798104b8e58646bb8722

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
74KB

MD5
90d213f5e2d24572b034cf5a760ca635

SHA1
e602f977186c559073841a2e936be6fd128af488

SHA256
34de21f396b1b8b9746f9eda2f2851651bc44f9d650c6d373e50c1127ddd5ec6

SHA512
16e7e7c8ed2bf7e3e580248cf3f19d28a7e540f0e936cb0d41a5cf92c624800b457395e957ff99aa0675afae4fd1ce91a0a1b264e691ee1b6166d27783a2f1bf

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
74KB

MD5
b0dd83535bc3b0b978699f2c5de67ba4

SHA1
8d8410fdb0bc1d65be230ec98009e604977d1716

SHA256
deee26254db7ce1ab5ac6ba4236eb6db45cfbfaee5e9bc1fc5eb8b8a9b73f4b7

SHA512
fde71aef8c40cf81a30ded8cf6e4e6035448c278eb9c084ab342f667d0ba2fe0e7c2c024ff28e4e57353e58deb9debd75421a0815a1a687b55ee79b7ea9ca441

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
74KB

MD5
68c2d616befc6c57dcdd921707b0736f

SHA1
ffd1bfdd5b0a4f279398092206b6fb215d761bfc

SHA256
07eebfffe3ebdf0d136eefbddf6bb653d47029df071336ea90dc738dff7e1329

SHA512
579bbc34f85a71eb90a38d62d0ec097b72baa7fac82a791bb3f496c2b4973a7ada600ec50cebf3504b188455caef6e4d1c8612e70ce4b3674ee60729fb0935b9

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
211fd6b7bdfd33396808b25ddedc04a5

SHA1
633a6d09a9499e0a9470e49fcccf2bf1e91e87b6

SHA256
8d380de4fcd5220a86996dcf0b1e308f1741de090afdfdd501e115ac32c30b7a

SHA512
5e03bd189e70069b34c4447a84051925aa8ad2d32220a3dc42a676e9ac94cd3b3f5629bb18edf4bf98c25371f27f0829786c7a9bd200123cd293807a64c6da90

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
74KB

MD5
ff68397cfbee4ca694a8038f24606bdf

SHA1
269ae9c5bfc07fb5dd3f23ccef9fec2820016650

SHA256
dcc113bedb7055ebf9889ae239152bd0ffb898039b567e1125c7a179186cfd49

SHA512
1a959fff7cb4994022fd1f0fed50e3bbd24751a363c22784c28bb62efb85dd6d87d889104a012544e8447994ec2d458e41170cbab7cb941eeaaaceef2b585dce

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
74KB

MD5
69393d60db99e824d72f1f4d5d989fdc

SHA1
d1b0fae96375b9071c5d613c303861dce4cdf22f

SHA256
b2b8b5dbf028c1689cce2ceb8ddcd8fa2d5c0f21bddb2335de47bc130f79aca2

SHA512
10401e4eee47f3294c551edae886b05c5787843a78c88c74e1828bf2459e794d5f8510b60a70bbd65bb7bd86ac961beb21668e82d56f85f43d111ca0547a42ab

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
74KB

MD5
267d487ffc32aac71d35c5ce2e280b02

SHA1
0ac2ddf9e24eddef416a17a3847258cbd3db425c

SHA256
7fb81757ff3889d3704a0079ee7b2703632d79e89003e4572d3c1fb5b1a4880b

SHA512
00624974045edf8d7ea9e79b5926fbe6559397418bf892bcee07ecb4a836df608b0f410a890195a346f81b19869d76f30904519af25a2cfb572b2931f5b9e844

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
74KB

MD5
bee527b24af360ded33e1f1329f45c78

SHA1
d400c9a48d43cb9b2d86e66039c24d61b3a7be37

SHA256
ea5abe08910a4bfa760443623bde856cdfaa776d3ab61ef774a3808916acb73e

SHA512
cbaee247e43001c6f532d97ec95896e000ca7e1e649533d29846f39c85cc37898ea2f0e30a05f225c3851a6be82be5d7534c81f4e2cddad0f0888e82573084af

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
74KB

MD5
a9b16319667f717d355e85dd5b53636b

SHA1
3fb081c7bbdab904b137b01617a9453d765a2b81

SHA256
58518e0c1f415c2b941beae82cdebdbdd80f56aefc3ebad43f5bccebae758c71

SHA512
df687f0fbe5a667e1c747aae26c57e14f665821e2bf016331d362e891687dd4f9da05b1e6de2766cc04686fd5a921f9ff878ef21a143ffbeabc2148edac53b25

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
74KB

MD5
bf1dac080c0c69d453ac9260841cc447

SHA1
820bbfc323e7b997af248e9d658c44905f002ae9

SHA256
846c3b49c805fb4d7870fc4a76a672715d91ce2c9377fcc8f193d7e07efb52f2

SHA512
4f1067387a119c1db2ff89d70f766e0f22c512a93e8191385a6c96ebeca3f7a8ef9c6a6b06d9aafa116932cf60c96f37b2f80e7ebb867b13ce32cee0fb4d2cb6

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
74KB

MD5
6f6a31c38fe092dc328b66ead5cf4715

SHA1
23567862946a4d07b2f08bbfc0b67ce394627641

SHA256
c1a6794a3a7919a398cc603a6c5d03f4d61e35bbdb414785fd6f94f460d4e459

SHA512
69dc4e6b8a3844bd6211de96016c3cc944e2b5a3085eaaf86ccf9a5d47530b6abda04ff00aa1143520f1d14f77ed0acb786e1d90d18a3045b5b44702343496e6

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
74KB

MD5
5be1e393fe5451352324913256082cb1

SHA1
e9c3ed944365d3017ded45c9994d95380d20bc1f

SHA256
4ca150176ad61f9d5aa9066d9621d3d2cbd137615c7dc8893f00538df7ec98d0

SHA512
174264191a6414ce5aa6dda30ec5e155ad38bb64ddcc77e48fa4073e68f45d0c3fd5fe39efb8f5f49c7a698d72be0a0a927645435e4224317966377f96131a72

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
74KB

MD5
139edb3b909716b6066ecc9b10863369

SHA1
b69e17366e0374ad0efe6bac46fee5a5fdbb1081

SHA256
a8bc6ed52520e0249fe9c057c684ba240529f900a1a983ef40b03e7f7520b5d8

SHA512
65d45fe659eac4f4056034ce90a15c48407d5835123274954b0f0cc3887167fd9088e4c7b6d4bf0ff7d1d49c79870915b65c8050e1df1a65251a29011c392256

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
74KB

MD5
2eda0a1fb6a18cd345f289fe8ca3853f

SHA1
c0a59fe8280ee245cf09f9ecd7fc8a1d6465d19d

SHA256
1b07bda2c42fbb33ae8d9159b9622c0afecaf5f24abc6c72ed95bf61f4553732

SHA512
25405baa628a47705c503ebd85a089c56d75c5ea76cdeca9e410ea6d74c1acc2d9dcab76322614d4f7aa87ff290fb6ff58331c2a70083db0e62d6e4adf6377ff

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
74KB

MD5
6a352f6d94b808434f7b8aabc1943e17

SHA1
d61a1d204a5850d46975d71c6d7bdc15a64d06ef

SHA256
3d7dc784f451dceb7a6145c09bc29b11aee8f91f7818edad4b253ae46107fa5c

SHA512
dd08588a3bb9cdb2ce82cc2b84de2859759518fe235bb4ceaae120a4557cb7734e4eb861b73f25f673db6b0d9ab7f99e2d7e430c520394a72f494f70feb3adb2

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
74KB

MD5
941e5ac636e48ab8732261ab07d43785

SHA1
245af060c73558d9c444a34313ef435abaec5f03

SHA256
f1c631f4ba3e45ea6be11c4474e78de6ffd37f4898eedd923b1005d4473e9a68

SHA512
6dcccdb162c0341b0df2ff38333bb975122b96c3e8637eeb9b344853c864e65c1f967302d518e420ab30805b9e5e1862728cf38a194f0a448a41a1c58bbad9ef

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
74KB

MD5
332decd5d30c93ae8ff1cc0935396a55

SHA1
025b620d929969aff5216984f25f0f77fe216444

SHA256
db733ac43434ee03f6bc33a0573debb3244f6fe6954a5a524e35d48d98c0998f

SHA512
f62e57346df5ceace228bce767dab3233ba5eb91cc7ab898e7d79523196ac123256dc6fc0e9681bf62c7b7a99df80cd904679ea22c2cf84352a9037843257d52

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
74KB

MD5
e1e0259c66de866ba7545bdb725420b7

SHA1
2edb0f22705dbb6ff5aebc536d57edaf3dae8375

SHA256
2b80d70c207833924293a846f9debf441f0608f7c17a76eaa57f924f58519131

SHA512
56122d6983eead4e9fa716b9d5d4af11adad3f648313d420f51be9b77dbb1058aa2fd4b845e2cba193df600b465f780e62f63cb26407a0258014eb5feb2dd8fb

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
74KB

MD5
163445c2484f89138efa0dce0adde697

SHA1
46264ed747233424a244675ce7ebc766a684d7ed

SHA256
9acfcf79582276b62751a4384cffd65b07efc92f0da4ac2aa2836760842d5c2c

SHA512
a92f20f9da589f052cdec7d84d9a8463c16ca3bdf3d4d5fd5e2307a5ccbfbcb834000808bf589eb2283c79b60bfc71cf8b9eb68b3136b3ed1bb9dfcd4d6138ff

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
74KB

MD5
417292f9a28527ceb8d4ae908fcabe06

SHA1
901ba38ffb15ed928af1d0a493c81a26a6b84179

SHA256
35881bd183e942a2d40ccbf14d61dfb1c6bdb73f4a55bf322abd5f220d3c3608

SHA512
d465c8901391f3f9d3c1de0a94fcf68c7b301183244c6a250a32939f07343b52b1c1325fc23ad1ad75936188e0f630c8358776c589f0f3eb93975e1331748e77

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
74KB

MD5
6aa1749287d28181097d233f6329b097

SHA1
232139c4ffd86554a92cb9d4dc95fb6dc15cdb43

SHA256
11e1d8c261de95ee496861bbd1c7a6ef2d2bef6360f0d5b22b2fb38dd9a278e1

SHA512
70f300810c6c5cd7ae8ba14b860f5cbe9c170163305160861db6b32f2186aa0ca4fbc78df32ed4788da8ed78f3a3e8d4f90dadc80c9241ebe60e88e1c3c3ac04

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
74KB

MD5
877d49fa14091d2afd5df987886eb118

SHA1
d5891ba99596134c2969c2e17ec84713caa18e28

SHA256
cfdb5ebaae83b0957edb235d12ad6d9bfc96151438b01479274962ef906d6a14

SHA512
c0bd237a6849b36b176aaca787b12b98931f32bd4a9b3e0ec9c4c340c3e2cdcb3efe6d29e23d5f23d014d1b1be41f968a793daa0ad26b444982ad407e3f99e9b

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
74KB

MD5
f48c079f03b7a20534e4943e6033d5d8

SHA1
d3721825388ae9922e9d65dcf6945b0ac25a4a28

SHA256
1642d69e64caede4def601baea9697cb868c10ac9ec35013d10e7b70c5b607a3

SHA512
00804929a68f61b8854cd8ff6c66d07f790a4eeed8fb07549b6516d2ae74949c6227be131acb5170881b08e15a2cae41e3b33abb1567aedf67dd1162484bee99

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
74KB

MD5
9b53b82ee0a08393ce858645d8fa678c

SHA1
cc6d7716789129551d75772d5e1630cc25b8751c

SHA256
49ebbc15ce9e4ab4f4e7fed28d6e0e47c9c6b7ddcaec417a1822c71dd3245c28

SHA512
bb77ff841d98bdd70a7827ca74b0f758e74b28d181a19ef5fc9b442e50eeec2da7ce1a6a7cb7793d55f0ad6aaeacbc54f2fe337a522693a8aae3ce1c5a4f56a0

Download Submit
C:\Windows\SysWOW64\Djiqcmnn.dll

Filesize
7KB

MD5
10416c7afb0e43cd1021aad47c359d83

SHA1
68a022059266344ea9c8fa30df7ea72aee357fb3

SHA256
51555a3e168a74e83057c3e4431a96e46d9a1f399d898fbfb756e100fcae741a

SHA512
72a526c85a0f997ca6e464ab4e366ef22c6a9824b7deb9f4dca51f216fa354fa0007b40ca1b5b0e825b9533adb857b50c31add376fad4022ad18fa41d69f14f2

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
74KB

MD5
3ff24e1a644f43fa2e28502818d32ac6

SHA1
b72476d4a80152afa92f6a7239979852397d3790

SHA256
c1d3ab4c7bbf75135a42dd7da24b2d794f61d5f0192d8fa426499ce6c8b9b8e1

SHA512
3333f140b38a4fe1d75b7b2e3a8f88397bc0ab984ad53e1eac2516c44afcba466453acd83e2073dd45b9a34eb48ca1a6a2c39e84761bb20175e8b066e0b097f5

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
74KB

MD5
1ab2d11ea1ca075a6cb440474ca9da8f

SHA1
f6038ea4232ffbeb8e608cfcfb833d01b3c6fa9a

SHA256
277ea0f6eec1018a313bdd522afd455dcd76eb4c3e5069cf5caa6f0f3552fc1d

SHA512
b0b271ec3ecda1b99d43ef0658e733cb5e236b2d17663682ba2456db179e87d26ac0e818a017be8e9145c350f1c831f79e881740de26a03596fd7fec460d01fe

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
42e7229b931a08a7dda436fd191aecb9

SHA1
3e2d11dd31cc623e6f0784c32b3e54f4523f1bb8

SHA256
fc4cc1ecb80f54b900d5fc0c3814402de3de714d20c18488dee4d2e54e0258e1

SHA512
b6a8db61e73777121868ce856aaffcb7ce450829ba8460403463cd002e0071ae1b070d9180b0f5c663e81bc125609c3ebc8f93e28fe47aa46156f66fe7e1bdd6

Download Submit
C:\Windows\SysWOW64\Nbmaon32.exe

Filesize
74KB

MD5
ddb9fbe320cced88d1e75634192f8a73

SHA1
01faac648a37bba3e19abe82f9334f1952eb385a

SHA256
ecfafcaffedccae79bebaa0092fdf3dc693c9d895233d233e6128bfc9c634a54

SHA512
31ad4eb78fdce6f33ad62aff88d04c87777d6135e9280012e3818f5e463341b83cdd726c9392610da059eb4ab4cd311a0b22308069ac6437f58e4b70d7f12f8d

Download Submit
C:\Windows\SysWOW64\Ncnngfna.exe

Filesize
74KB

MD5
8140d925653a35f5385b1bc1a673ae61

SHA1
f286594fb893487932242c6becdfcc888bd80e78

SHA256
f7f7b508775a6979ed8c012fd5fa1e3991e9e6455486a694a6e8e9974d8583cf

SHA512
d74ca0f5435c652d3026a0a77947bc98ab6f2b9a9bf87d35df3830189fe8166346e0f9f8290aac3f9f64150fb5a319cc15d953bd4b3f2d94c6a7fab44eec817f

Download Submit
C:\Windows\SysWOW64\Odchbe32.exe

Filesize
74KB

MD5
50134f92d49475ebfb603619b3b727f5

SHA1
23be5b9543f1cdfaccde1d772b79f30320454ad1

SHA256
4bef0979cd24b9134b5ee62e513f5914a2c578b6cec71047c353e75bd67b7e0a

SHA512
4d15cb29cfc13a8411f74e4259c03a87bbb1f3ea0cdc23d8f2ff45b648e32d083ce30da398549ad14f5ee54fabdecc49f2d1fca56588fe19ad30d99bd5b7405d

Download Submit
C:\Windows\SysWOW64\Ohiffh32.exe

Filesize
74KB

MD5
fadf81ada2d3488fd02f8d9b17e76710

SHA1
3d12a095486d6ca90da586b7d8651ad32dfcb95f

SHA256
22da4714637e0e4fedeea007e188c0d901619a3cfa15f306f3751e9c7e170499

SHA512
58ab4ed9add813b42651a25cc4ae719477e8387f43baa667e3522f5c8ea33ea496f5b29b49daa5b1361a7a6dde142d7775a345f0b836c7a1bb4c16bd87827d35

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
74KB

MD5
0d4a9b24c8263352c44d0b02db345b24

SHA1
9e741b50b9071644f134852704cfe8652d76fe98

SHA256
a91bb47a2eae40bada6cbdeb9e51fbaeb7ca0307ae736614d96b725a7e2c99c1

SHA512
8594007a91e849fc59fe9faef99fafb26e86366ce243011cd805688f6916ac3adc5814351084952f7003b43a9c5638fab654aa6ad7003aeee258c6f471206e58

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
74KB

MD5
d922e27d948f6b0514c43e9ac9a2334f

SHA1
e299a37b65ac6be34ef4d93d92d3d0c4eea58c93

SHA256
65b662bee8117c90320aaf678dcdd25edf162521fb07db1f581f0110bc122ba6

SHA512
08fcb567bef3eb1c5cfd7ca4bffe1ff3667810f7250cc02f468ea540599625d616324f83a590fa14dfedc49f43e652ba6002f1184ba962eb5305f796ae2ce07d

Download Submit
C:\Windows\SysWOW64\Pdbdqh32.exe

Filesize
74KB

MD5
56863f4259abed3c7aa3a492756653f0

SHA1
abc7d8bdc214399482d05bc8a85b2cd9227febc7

SHA256
ba6f76e7f82fefdde94a7f03b57a9e589865d85b0534d5235b293ea956c25d48

SHA512
f3ee7e0ff2e2259af9364d2d03a25fef55d88c46ab1e31c42f364260327d4d4e7b80297556acf877c3a8e0a0e24fb592af942ff47f30b588047e8625aba11d1d

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
74KB

MD5
4e0be0f80121db40dde7e1f3eacfb054

SHA1
2e6b8ecab52b5ece55ee6d0c4eb927169b8a275b

SHA256
3778783c3642617b0d21c060ba1d7e2f01c802f4847b5c4d77a5b0b529073e81

SHA512
44bf8c1c5311c15a705f66344f71d943d860d34e5111fa645242eb5c9bde814aad85f70cf96c9cdcb6694ce9cb3d249b6bfee0e15539815a42559da1cb14a395

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
74KB

MD5
56455a5a489bfb8bf8edeb00b88b3270

SHA1
17d9bdf532a73d465c4176fc8d79b6863098d2cf

SHA256
ada307f021f376b3c68d9ec9904a289d1654e690c032dfec78871ddce914b2fb

SHA512
bcb3f8fa63378755608ffeb664af16f2bce1115f547d3985bf3fb1225725c6ae39b1fc7b946c330315cd6029232560b47db7ec0374c3556d444557bce6cf3051

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
74KB

MD5
b3fb3f5b854a659dd8aa1e1995f262cc

SHA1
6932ef9a47a3219c909a35e5ba2dfb713d172552

SHA256
58d798ea10a8af3ca4adec84f975206276348f1ed0d333b956e15d1d132030ae

SHA512
093d617c0aedbe94ae0ecaacc0b5527328bc48d58b548b8d42e2f7c228ee94f7100136261a2a24cb61dc5538bf4397eb1a61422ce8e5baeb489c0d4c22746fbf

Download Submit
C:\Windows\SysWOW64\Plgolf32.exe

Filesize
74KB

MD5
57604ff0a4be3aacccd2dbc6122fa4c5

SHA1
9f525f6a2386fc593c7dda33f347ff17d52ef0bc

SHA256
e5d51e5a2c4bfb1398227bd189ffed2e6f9dfb16ceb5a17bb51282475063a11c

SHA512
25509ff35fd2f77a9fbf1c5c0059ba2c138fc3989c2049e2d210d677d478337897251776eb9fc5eb467aeeebad1e1cd0494aa057a7dee9291e4e6fc323ea8c7c

Download Submit
C:\Windows\SysWOW64\Pljlbf32.exe

Filesize
74KB

MD5
10c234963e3e5e8fa43420b63bc3b450

SHA1
7c0fd847662e2e80ee819d0ecd8c3ee101303682

SHA256
bc57c8aba3b5e7dc4235d45ebcb915595392f70d7ddd01edbec1a555c380e44d

SHA512
71d07fcb75c137adf11b0c4fe4b485e570c1a6687474572d012b329173c4d94b6c6ee89a2dbb01ce072631727d8b2da52e31bffc49fe8ec395403b00bcd09290

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
74KB

MD5
51023e5fa41f2a87f72850fc04c7bb28

SHA1
0af9c6af1a979978eab03f9595bdf5eeb56c6d4e

SHA256
16e69d26787447544caaae566637250c35855fbb4f22c9b993138462573e0f23

SHA512
33d1e9bbd24bb18694997f7ef85637a0e6769d1ef780f4b090cc5efa051e15d4a5db2a002d264b4c6be26200ef8ec40a9a6d2e9f465a4b29ef9b3f32b7d8f110

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
74KB

MD5
e5b6aecfd2718be509289e379becefb4

SHA1
31ca1c0b8c6f4f395529f2b8afc920847170e498

SHA256
8603534f3ae2770bb66935df8900a485464118d922b0e9b8b640ae03672ccac3

SHA512
90191e327393dd0584cb09b1df57f594532b70ed543d59bfdff1002b7c4abfe6ad8e001e151a87a9de7e698d887f352d660984d41663363e1ea275186b31385c

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
74KB

MD5
2673acf317be7274c07a1c2c23f64665

SHA1
3c50a1281cd040b67f30e09cba3c251c15f4e6a8

SHA256
f2e722af1260a12e29a89aea6ee8634acd0709717ac0486912dfc3f95de3868b

SHA512
e5037046ea7684cda36f6bc07e57298cdb103b5186eeb19b57d3b41479bb2dcfa7493ae5bd598b96c09de8ce6d481cb0c790f5ac18db9ca9d0f0abf0f72c10af

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
74KB

MD5
3e9a0975270ac9e05986c331ef4e16fa

SHA1
c053184a239d4d980000a87cd56c26fb780ae2a3

SHA256
3408312621f5c844ed222c52d059859328b76da0178d81998c8336b8520cc456

SHA512
a47e4b3b708120ed72e04d43ad0868da5aac6aab5acdf380419100f0f97ea77e0f67d75116d149b27095c4ad71f643c5ce00c6b17b88ed82a7224e793ccf32b8

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
74KB

MD5
3222b4c467d7870ee91343137ebc1fe6

SHA1
dd06e0d2f1885f93a58d3c5576dfe7e757e50e54

SHA256
42d8d9fe990d9b4f241da78cf7bacb6f4431e2760159e914a1931bf23513bb2e

SHA512
b460a23620b3b6adbd6b9b86b9e829138ea7a1bb1460277137aa76bde2272807f32271ecbd8a49402bf1dd93d3137e0cab2e9f2b88de08a9b498486ee5eabb8a

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
74KB

MD5
15a90d7c52c8a7b9f31aacc73027c915

SHA1
7f05f9712c2bbe75f5764fd304960606c7b9852d

SHA256
1975b7495e92cc230429d9c6e8d195fce771da86a8b5b361a9d4f080cc360075

SHA512
e548a0393cbad552e91d45ed0901940ec655f4d651aace0bfb0377795082bbb0e03fdce5c9a5449f357d063d7c12a2471130145afae70ffb4f648c3b526301d6

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
74KB

MD5
eff0786c6bccffe378294d7a3936ac7d

SHA1
9bd567eb9f0f7a88a2170c3958f1e971f908bb9a

SHA256
6bf44825f1fdac13a9f7ba72385140ef803391b2e60cc6c2f1a7132f0d25995a

SHA512
3de838042b0208fa59fecc5cd2fee075f65b7cd3bdb7be7b2cbf0f605741be2b598d8d77dc81c6ad90c79a6b56cc8ec5266788140fef88c9ab4e9bb09c59e113

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
74KB

MD5
f498986cf4307cd6696c4f4c5272bd39

SHA1
54320cc40719116468f6e724e5a3f9f83de2e8c0

SHA256
a71965b24652c56a0c9c3a38bb3fd68ad87efc4e5fed0463f1a52c71befa2112

SHA512
42381229fbba05698e0af7029a94fd92a24b4c2375c89ea41e988082f034afde1833c23be57c50b6babd99bd9e0890ec2290322b4e17e52a827ae2aacaea2ddc

Download Submit
\Windows\SysWOW64\Nhlgmd32.exe

Filesize
74KB

MD5
f24018710227b7d40e2eb60c3d13d22c

SHA1
344cc028c16c34bc5ecbcc0054385017443d2d6e

SHA256
c1c72fe0c4b4d71ed7f76b70a8e83411685a4e168b8de24cdf08d0647bcfb85e

SHA512
f2b2bc9f9ab15ab78e14e64150ca527bca057af2e779e8d997b7578ace8179ae3310f0b2797b3e7570be9b384346d413cc6de893e433274c3d470d5e19a8c5a0

Download Submit
\Windows\SysWOW64\Nmfbpk32.exe

Filesize
74KB

MD5
c1033244c3ce16b03ed7aa31161c8dcd

SHA1
1c61ccec6ffc9f2f726fcb6279ec4944684ee319

SHA256
66f895f340263a058367e010f87db3e37f37955cf672509fd3e3e65ea41ac435

SHA512
346a4d0ff3c513cd8f8fde2d92ad6e0ae39332401cde8fca94c382d90783369bb29313704c8274a90cb44ae1634f0a1eab60b41fe5dfc5d6fd60985a635c5307

Download Submit
\Windows\SysWOW64\Obokcqhk.exe

Filesize
74KB

MD5
da81a1af71fda07660c8c7d8b5b776f0

SHA1
c0c7e6a7a5de0a9fe3ceddcb4757fa7f5c662d9a

SHA256
ad52bf238f0667e52b45734380c9c3fa9061564c188bfdba4e92a77294e8aca9

SHA512
e1b30d55dc613dce4ab1faa8808ba37f2976caf50df74e851baac40983b34af0cc23ec5640c39813acd1ab7ab550451ac97ac39419d54ac207dca58ac0b03005

Download Submit
\Windows\SysWOW64\Odedge32.exe

Filesize
74KB

MD5
ba130db0f710fc5a52252d719da70a8e

SHA1
8304b04a12babc80ca0724df37d9b1e72dedd57a

SHA256
241464a2819491134ad52fd36999f4fda73c43f5abecb6abfaf7db07f6779e11

SHA512
1d2eb938239ebe70f24cecff4c83545471b08b168a5d9fbabef68112ecafc6ffb1aa818260f072c644bf9c3a51118add115eec6edd46380eb43eddde74de3644

Download Submit
\Windows\SysWOW64\Oemgplgo.exe

Filesize
74KB

MD5
b3b9468e120497d8c31e05cdb20994e3

SHA1
6574204dfadad042d1deaad42dcc6d642df17fed

SHA256
45247b6ac698b4cffd5b8228fa6e68f8796ca6840860f87221a7b2e0b6a90b60

SHA512
51233768418cc7605943a8c70b4343ff2c60404217391e1d182639d99c67b0e709d4f5c1f773114439cdc7b921f7c88ee00a7e8901204f9f5a93738f7e4d19ca

Download Submit
\Windows\SysWOW64\Ofhjopbg.exe

Filesize
74KB

MD5
5fa5cf563169399ba5f65d7c99db5f73

SHA1
d0bca3375abba0b3f2c78d5c3e20eb576f88cc33

SHA256
99e6428b610df417fd7e1e9a87f719ef779a1e95839ceaf06b24ac1741808dd7

SHA512
ea6a6da34749ef0e26b4da3c1da4519c20e2b44cb273c828be0722a5dbe5bdd970b744875752155065e2e874f69e8dfc450d79796c9d0be1a7266cc06c9191d6

Download Submit
\Windows\SysWOW64\Oibmpl32.exe

Filesize
74KB

MD5
dec25308c581475539508c805656dd53

SHA1
1c06d7566a1eb9109496ab162f23b58c091e3a59

SHA256
d9dd7dba1c3927126c172217096c82e3e351358700b31cb7c48ee50bea12599f

SHA512
1a462c1f2b88190dcd33a4c4e31cc136d9020df4e045edec00f5d3903e0f246b9096a4315754516605d732170c631c6bcdfd8ebf27fb743434d47c93c16c423c

Download Submit
\Windows\SysWOW64\Oidiekdn.exe

Filesize
74KB

MD5
50e5ca61f35fdf979e626a533a8cb5f3

SHA1
4949294780413c98b01cbca10f99fffe93485bc0

SHA256
c618aadb02ef00c111874bd58bb26fe1aee7e11430351075fd665fa259fb3fa7

SHA512
188d17fb25da1e12c3c4ca5d83b60a7f53d5a12c463fbd6f98ad20cad1dabcc3dfa1999ef09d5868891795c6fab5855f43d597a1165062153acee82176637b1f

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
74KB

MD5
c368890b0294e6be09978f89cdf2eab6

SHA1
9d548f1e01c03c8c08d749e52a7578463e0c9b8c

SHA256
a503478ca666d02dd6c54940d759ab4fff8dad9c7bf3d5c537dc66d5f766b434

SHA512
66768694a9d2fc8bf637f1ec2d6e16e2b34f218a66b78a5e74f06bf9c527a769651ffce98f065964d5af4e958141222f3231cf36d2456f2c134666100ee7d533

Download Submit
\Windows\SysWOW64\Olpilg32.exe

Filesize
74KB

MD5
cebd99ee7d6a77c7f695b73f6f505ce5

SHA1
7cdc09e11d071897ca5c0ec2d1f781194c78d988

SHA256
52b5a9307d5f104ee8b294457a69c4be1b54bfa3ad7af41af3a36f77a9957037

SHA512
62fe37f2ab39e6024a765c242c9927a425df7a2a8c5ebd8e7e7c1fa90ebc12260d7f838dbe809ea3c84533cc47adef2e1b75d15d501002a99ff6a8410b99d856

Download Submit
\Windows\SysWOW64\Omklkkpl.exe

Filesize
74KB

MD5
cafa2f50e45db08d13d742c57434ff32

SHA1
c74c7bb65a069bfe0a896bede7225130213a8c36

SHA256
5dfa6e23e2e0934d756096bad6cd6c749b07c3fb994ce6362dda4bb149646e51

SHA512
7f9a95fa9d2363f896ed8e932757d9453f255d01b78f6057a60a94e950fb5199826628f337781ed4074fc25ff4eee9a459d77c951d6b70d65c390d144f2d3d0c

Download Submit
\Windows\SysWOW64\Onfoin32.exe

Filesize
74KB

MD5
ef29d5a5f3b037f7b8392c67243e2fa5

SHA1
34baa265dccf91cf0e6c1c084d1cc8d11fe9dc97

SHA256
e7b5f7c82149c5215f0aa01a2b965c6341a62b182e41ad7a900078b84efcdb29

SHA512
e54a337bc14ea9ff86c6b95efc026625144c9c58c42a0d9d342dae6378b6e411020ec59e1d111e21068a1743c014878bd5f132bae62c36d8f4cc7d120e34e3bc

Download Submit
memory/272-408-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/272-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/272-409-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/316-313-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/316-307-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/316-318-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/484-373-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/484-52-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/484-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/584-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/592-395-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/592-396-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/592-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/600-306-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/600-308-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/600-297-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/676-483-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/784-275-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/784-266-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/936-262-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/936-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/960-217-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/960-224-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1320-440-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1320-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1564-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1564-243-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1568-189-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1684-149-0x00000000002B0000-0x00000000002E7000-memory.dmp

Filesize
220KB

Download
memory/1684-471-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1688-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-493-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-172-0x0000000000270000-0x00000000002A7000-memory.dmp

Filesize
220KB

Download
memory/1732-296-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1732-292-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1744-199-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1744-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1796-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-420-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-429-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1948-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-456-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-125-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1988-131-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1992-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1996-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2104-492-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2104-502-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2264-319-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-328-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2368-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2368-482-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-17-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2380-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-18-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2380-339-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-341-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2540-103-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2540-97-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2592-461-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2592-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2652-286-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2652-282-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2652-276-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-374-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2664-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-384-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2732-342-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-338-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2804-340-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2804-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-89-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2888-361-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2888-363-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2888-351-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-478-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2952-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-362-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2952-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2980-397-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2980-385-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2980-61-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2980-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-109-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-122-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/3056-117-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/3056-444-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads