berbew | cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Size

88KB
MD5

45e26589456fe161cef273dea363921d
SHA1

655a4761aa0de283322fb34dad00448fefe330fd
SHA256

cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a
SHA512

d87780fa60afa63124e0a2d9fc92003d9144b0f3d45718239feb04522100d604e75d9748ba18f1bad9531567ab476dde8aa76fb281103c790ffa22f745ecaf38
SSDEEP

1536:DLNGJMx1xmboaFG5VvGyr/Z+hCg8MJPdXnouy8T:DxG2mFk5lGyr/YCg8MNd3outT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
2488	Nilhhdga.exe
2872	Nljddpfe.exe
2932	Nkmdpm32.exe
2460	Oeeecekc.exe
484	Okanklik.exe
1844	Oegbheiq.exe
2124	Onbgmg32.exe
2188	Odlojanh.exe
3028	Okfgfl32.exe
2744	Ocalkn32.exe
2532	Pngphgbf.exe
496	Pdaheq32.exe
2144	Pjnamh32.exe
2152	Pokieo32.exe
2296	Picnndmb.exe
2212	Pomfkndo.exe
2312	Piekcd32.exe
688	Poocpnbm.exe
1752	Pihgic32.exe
2000	Pkfceo32.exe
1744	Qgmdjp32.exe
2448	Qngmgjeb.exe
1628	Qgoapp32.exe
2616	Qjnmlk32.exe
1572	Aaheie32.exe
2812	Akmjfn32.exe
2716	Achojp32.exe
2708	Afgkfl32.exe
2500	Aaloddnn.exe
572	Ackkppma.exe
3016	Aigchgkh.exe
1184	Abphal32.exe
1280	Afkdakjb.exe
3060	Alhmjbhj.exe
2504	Abbeflpf.exe
2548	Aeqabgoj.exe
380	Bnielm32.exe
1740	Becnhgmg.exe
2440	Bbgnak32.exe
2300	Beejng32.exe
1528	Balkchpi.exe
1240	Behgcf32.exe
1796	Blaopqpo.exe
736	Bejdiffp.exe
2012	Bdmddc32.exe
1556	Baadng32.exe
1892	Cdoajb32.exe
2684	Ckiigmcd.exe
3008	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
2488	Nilhhdga.exe
2488	Nilhhdga.exe
2872	Nljddpfe.exe
2872	Nljddpfe.exe
2932	Nkmdpm32.exe
2932	Nkmdpm32.exe
2460	Oeeecekc.exe
2460	Oeeecekc.exe
484	Okanklik.exe
484	Okanklik.exe
1844	Oegbheiq.exe
1844	Oegbheiq.exe
2124	Onbgmg32.exe
2124	Onbgmg32.exe
2188	Odlojanh.exe
2188	Odlojanh.exe
3028	Okfgfl32.exe
3028	Okfgfl32.exe
2744	Ocalkn32.exe
2744	Ocalkn32.exe
2532	Pngphgbf.exe
2532	Pngphgbf.exe
496	Pdaheq32.exe
496	Pdaheq32.exe
2144	Pjnamh32.exe
2144	Pjnamh32.exe
2152	Pokieo32.exe
2152	Pokieo32.exe
2296	Picnndmb.exe
2296	Picnndmb.exe
2212	Pomfkndo.exe
2212	Pomfkndo.exe
2312	Piekcd32.exe
2312	Piekcd32.exe
688	Poocpnbm.exe
688	Poocpnbm.exe
1752	Pihgic32.exe
1752	Pihgic32.exe
2000	Pkfceo32.exe
2000	Pkfceo32.exe
1744	Qgmdjp32.exe
1744	Qgmdjp32.exe
2448	Qngmgjeb.exe
2448	Qngmgjeb.exe
1628	Qgoapp32.exe
1628	Qgoapp32.exe
2616	Qjnmlk32.exe
2616	Qjnmlk32.exe
1572	Aaheie32.exe
1572	Aaheie32.exe
2812	Akmjfn32.exe
2812	Akmjfn32.exe
2716	Achojp32.exe
2716	Achojp32.exe
2708	Afgkfl32.exe
2708	Afgkfl32.exe
2500	Aaloddnn.exe
2500	Aaloddnn.exe
572	Ackkppma.exe
572	Ackkppma.exe
3016	Aigchgkh.exe
3016	Aigchgkh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nilhhdga.exe	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pjnamh32.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Nljddpfe.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Elaieh32.dll	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Ocalkn32.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Odlojanh.exe	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjnamh32.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Nkmdpm32.exe	Nljddpfe.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
File opened for modification	C:\Windows\SysWOW64\Pokieo32.exe	Pjnamh32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pjnamh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	3008	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljddpfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeeecekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcmdd32.dll"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaieh32.dll"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll"	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abphal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2488	2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	30
PID 2956 wrote to memory of 2488	2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	30
PID 2956 wrote to memory of 2488	2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	30
PID 2956 wrote to memory of 2488	2956	cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe	30
PID 2488 wrote to memory of 2872	2488	Nilhhdga.exe	31
PID 2488 wrote to memory of 2872	2488	Nilhhdga.exe	31
PID 2488 wrote to memory of 2872	2488	Nilhhdga.exe	31
PID 2488 wrote to memory of 2872	2488	Nilhhdga.exe	31
PID 2872 wrote to memory of 2932	2872	Nljddpfe.exe	32
PID 2872 wrote to memory of 2932	2872	Nljddpfe.exe	32
PID 2872 wrote to memory of 2932	2872	Nljddpfe.exe	32
PID 2872 wrote to memory of 2932	2872	Nljddpfe.exe	32
PID 2932 wrote to memory of 2460	2932	Nkmdpm32.exe	33
PID 2932 wrote to memory of 2460	2932	Nkmdpm32.exe	33
PID 2932 wrote to memory of 2460	2932	Nkmdpm32.exe	33
PID 2932 wrote to memory of 2460	2932	Nkmdpm32.exe	33
PID 2460 wrote to memory of 484	2460	Oeeecekc.exe	34
PID 2460 wrote to memory of 484	2460	Oeeecekc.exe	34
PID 2460 wrote to memory of 484	2460	Oeeecekc.exe	34
PID 2460 wrote to memory of 484	2460	Oeeecekc.exe	34
PID 484 wrote to memory of 1844	484	Okanklik.exe	35
PID 484 wrote to memory of 1844	484	Okanklik.exe	35
PID 484 wrote to memory of 1844	484	Okanklik.exe	35
PID 484 wrote to memory of 1844	484	Okanklik.exe	35
PID 1844 wrote to memory of 2124	1844	Oegbheiq.exe	36
PID 1844 wrote to memory of 2124	1844	Oegbheiq.exe	36
PID 1844 wrote to memory of 2124	1844	Oegbheiq.exe	36
PID 1844 wrote to memory of 2124	1844	Oegbheiq.exe	36
PID 2124 wrote to memory of 2188	2124	Onbgmg32.exe	37
PID 2124 wrote to memory of 2188	2124	Onbgmg32.exe	37
PID 2124 wrote to memory of 2188	2124	Onbgmg32.exe	37
PID 2124 wrote to memory of 2188	2124	Onbgmg32.exe	37
PID 2188 wrote to memory of 3028	2188	Odlojanh.exe	38
PID 2188 wrote to memory of 3028	2188	Odlojanh.exe	38
PID 2188 wrote to memory of 3028	2188	Odlojanh.exe	38
PID 2188 wrote to memory of 3028	2188	Odlojanh.exe	38
PID 3028 wrote to memory of 2744	3028	Okfgfl32.exe	39
PID 3028 wrote to memory of 2744	3028	Okfgfl32.exe	39
PID 3028 wrote to memory of 2744	3028	Okfgfl32.exe	39
PID 3028 wrote to memory of 2744	3028	Okfgfl32.exe	39
PID 2744 wrote to memory of 2532	2744	Ocalkn32.exe	40
PID 2744 wrote to memory of 2532	2744	Ocalkn32.exe	40
PID 2744 wrote to memory of 2532	2744	Ocalkn32.exe	40
PID 2744 wrote to memory of 2532	2744	Ocalkn32.exe	40
PID 2532 wrote to memory of 496	2532	Pngphgbf.exe	41
PID 2532 wrote to memory of 496	2532	Pngphgbf.exe	41
PID 2532 wrote to memory of 496	2532	Pngphgbf.exe	41
PID 2532 wrote to memory of 496	2532	Pngphgbf.exe	41
PID 496 wrote to memory of 2144	496	Pdaheq32.exe	42
PID 496 wrote to memory of 2144	496	Pdaheq32.exe	42
PID 496 wrote to memory of 2144	496	Pdaheq32.exe	42
PID 496 wrote to memory of 2144	496	Pdaheq32.exe	42
PID 2144 wrote to memory of 2152	2144	Pjnamh32.exe	43
PID 2144 wrote to memory of 2152	2144	Pjnamh32.exe	43
PID 2144 wrote to memory of 2152	2144	Pjnamh32.exe	43
PID 2144 wrote to memory of 2152	2144	Pjnamh32.exe	43
PID 2152 wrote to memory of 2296	2152	Pokieo32.exe	44
PID 2152 wrote to memory of 2296	2152	Pokieo32.exe	44
PID 2152 wrote to memory of 2296	2152	Pokieo32.exe	44
PID 2152 wrote to memory of 2296	2152	Pokieo32.exe	44
PID 2296 wrote to memory of 2212	2296	Picnndmb.exe	45
PID 2296 wrote to memory of 2212	2296	Picnndmb.exe	45
PID 2296 wrote to memory of 2212	2296	Picnndmb.exe	45
PID 2296 wrote to memory of 2212	2296	Picnndmb.exe	45

C:\Users\Admin\AppData\Local\Temp\cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe
"C:\Users\Admin\AppData\Local\Temp\cf55c11d6d082153a3ad738eeef765a2569e4b66563e3569a5de221c7100959a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\Nilhhdga.exe
  C:\Windows\system32\Nilhhdga.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Nljddpfe.exe
    C:\Windows\system32\Nljddpfe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\Nkmdpm32.exe
      C:\Windows\system32\Nkmdpm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Oeeecekc.exe
        
        C:\Windows\system32\Oeeecekc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\Okanklik.exe
        
        C:\Windows\system32\Okanklik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 140
        51⤵
        Program crash
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
88KB

MD5
536c509b07f0293b7b138de3f0da90b7

SHA1
7baf1c3176a0b184899d454a59b2445186cdf564

SHA256
3f96da0be0f4d779951067d4c6a3028cef5f4bfde2274bd8cb2c85dbf08b3b15

SHA512
0957afc33b2479cf550f8c018cfe46e8c471782165c3c08eb7cc5b614b8018fc960dbdfac7d5a761b547841c0fbf5afd97dd826b88557220230e90ba40c761b4

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
88KB

MD5
fa32e85a43ef592f04b411935cee035d

SHA1
81cf5e693bf385de78f624c596ae36263cd8ffa7

SHA256
604a79ef49173f88fe9b0ae20fb9af1cc4ed37120f486178afbfa192ae7cc4dc

SHA512
43060cafb36e73c284883caf7119ac1cd52b175c6411182eb855127c02ba6b38be0bfbd66afb7d61f22e93825ba908f340b9ea8eb9c88c678fc4e3a2c814d45f

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
88KB

MD5
df4fb2469f946b9a0e79d9635c770cd1

SHA1
50e9752875be793cdb749f17df1fe610aa5b8da0

SHA256
b4ec25625b5b914f23ecddabd9c62b34b61815b0b7233e77acb09a9b14a40da3

SHA512
10dcf2738574912345eb2d8178a3f83c57d601565bbee3aea84d3778ae5d83140aba41b5929c63b97c1e76552303d3c083d3003e562769ed2575f84c8e70a42a

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
88KB

MD5
72b51f19fccf6a2d5ff4297a1f4b4331

SHA1
d314071629d156ac1133db3befb1c543d4fc8b1d

SHA256
028504acaa31c81f598da3d16e24fafbdbd1a5e4a83b15878428068fbfa225d3

SHA512
db0a14d151fdfa16db00e87d9c451850e9ecf469bf3af976f3d1e0edc5ea1265fcbf3e654fb6af362971b488019412104f4fea7d6f5f4d116fd0058ac86540cb

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
88KB

MD5
5191d741ea94213c2dc7ec2de1ac9cd2

SHA1
7e6a057220f18a58b872d79d1167849600481b1f

SHA256
9e3fa87ec43afe6e047ff65912a5c983a40e612a66d7f796ecb663e849ae613c

SHA512
b4971549a8478cf3ba1951429f06b3e5d191d2c8d6750752e5953ce38b2d1f4e9ab8f41ac91c9426019068f03eddc184f538ddd0655508d15ef666ab34911604

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
88KB

MD5
b127986084440bea8b692da56ea5d98d

SHA1
06d2708d6165a66e1625fc1feb84230dfe152e11

SHA256
0cfe27c14dd60c51a31e80e150c08b49711138cc40177228542f9e796b7ffaf1

SHA512
ee08d97911aa67113916a805a60186cf2cc02a3a04ab2426b58daa875fbd41e154c6ea5b638959fa6a504cf02d6b8d96f5360ab7b0ddc8eb1b069de7b5b0d97a

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
88KB

MD5
739676d854fdeae3fe5f17d8de7d8a5c

SHA1
db22ff8039713d804c63bc526e35ed8bde7148bb

SHA256
ed9ef777e68da975fd647c8c4bcb4bf7c78af1806156f49dfdd83f18fdbd4f95

SHA512
12c8fb4e1e9c3561c510666378f27f62204134d9aaf6893555d8277289aed7dbc028c71846b6e49e05fa943723dcc65ce477114e4a6242f550f9ed2f310d9ad9

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
88KB

MD5
8ac1eb715c5f8502a67fc34cae977b84

SHA1
1a75a65c642e4d6601f0749e395af27dd9930f55

SHA256
665f3c185deaac462f6addc27a5c64e653e571925671bc85dbf4651d6ccebe46

SHA512
7d25a1df145b71921b5d5a42865072dbbd1151d4c02d80c13e98b83140e7108d794f94a31b9f104da1ec0a53ae2f9b7e6ef1541a22b8d1467a32f708fe76aa60

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
88KB

MD5
e4795fbdd7671dc344684d5cd4b9ea62

SHA1
ab01e9236557115d70a570c7474dc5f759dfb68d

SHA256
6ce61ddd21f57905e75d892b649d225393ab387841438f546c4f32488f93f82b

SHA512
2aa5b6da77e478701b50c82abaa4ff3dd244076b98312a1d13aa901dea94db114bb897c3fc202c09b9c98ee4f5ee4035f270711c08c1dfbcc3c45850c4d4f7c6

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
88KB

MD5
b832bd383c65fe4c3c17045f48d66c04

SHA1
05888e85b37ba97cbfe3a02979d725631b622540

SHA256
fa902a2a138084638698b458971d74d70f29390f2aea95ec0583900373b1f91f

SHA512
b6222f4117fd0d65c7319eda9ba5e8ec0a8e0e6e33ccb217de4cb5de6edf988991388968d18d0d4007696948cdfd4f0ca037ea66b8d8f9c1d86ce8f9edf78189

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
88KB

MD5
464058d6b4b79d0ffbceb61d281bf9b2

SHA1
bf069deaff637a8837a8de583e04eec13f28c2fb

SHA256
2417ce03f645e979dead3979eb3680ef7e56ca24478008152489791b7c7598bc

SHA512
df3ef329c93aa56d2b7c3313048a7a2a4b88ff60fc62d3cb37617d04d056a3686b30dc100e99610c849a909716662408c454beeb5584315acecab22bd2350d34

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
88KB

MD5
edaf53dcb23febbfb75320890102e6ed

SHA1
870697c0c8dfd2fd91db1b7498fcd8707ba901be

SHA256
ea00dc51be09524fa4d3b45d48b4424e128ea4cdb64ccc276be5998290d105ae

SHA512
b90d65d171a3248f5e58f0dd2c61ea57c3c6e778d973487cd59bf5440417b6230af9ca8699be2540821b2f22976b1aee4168963b90c904fdd599746ed8424e93

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
88KB

MD5
b70ee2f52135648d022b4dd005ed11d7

SHA1
eea5f4b563d940bccbd27f15f2ca237ef60d2a92

SHA256
7018d0caf89d48584e64b94d13d327a655397a69d59129fdfe39a3424e32c351

SHA512
c120c8e501d174b27951e0446a710961d08cd672f065ae082efa51c3821ab2b7c0da41cc1da4e313b24e40ba5aff003435864b9981c7a8e52c69bb0d94fbf1c0

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
88KB

MD5
e5293b36b4074bf22d7aa6ba8b24db40

SHA1
0a367d3a4d651904c866f511128748a65c1a4f45

SHA256
c981bec6a6a1518e8854966cd0db9d1ca7430f0bca10a15f07568cc821e7ef15

SHA512
226c8fddd74cd0962dd435a71fdba06d11de5704277f3353c773bb493cbf2154a72763b2dfbfcfda001b08e145dfbf67bb2b75c122d019729bcc87de592f0bce

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
88KB

MD5
708f549058f558c9690a13bd379fb13a

SHA1
1b557badf35b1846cca2ddd384d938e64d7f2490

SHA256
8cf9361ced4cc9a747fc491b70ce86d50cb6dcd998a7c662faac1a70f0c7afe1

SHA512
df4de274283a140a4deda98b14cda1d6a9ecbb1e74d650b6df3f43e9311fbde82f098872aef2d7a82468cee1054ce30b56ad194d722f3d6df830521fa5fa2cb9

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
88KB

MD5
6845816267a25cdedc02d04ec7eb887b

SHA1
b98a521ff4452d28fb4003bb0ebe10bc3e74eebd

SHA256
89ccb923460067601050dc5d28bcd41452a1fcb5e9629c96a44bc7989e45e1a0

SHA512
135d66f261f75aa94a0b0ffc137eb157017691779c20367114ac7aee7755597add7ea0be38af508b581c711362e81d4c53e063be0bc3930700040c5664d7f478

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
88KB

MD5
8451fe561292f4bf8b86cb284492f8e9

SHA1
486142bb556550a6157f076f522e9e9ea65e9118

SHA256
cdd7a3f6fae15e31f7ec1ea446b33129d5d10a71768f7f88b44949d7cd79cd3c

SHA512
98cef45030a5ee657a1dc9c514ad5fd1724026a2599f7d2c16f56c9dbbae63566725de1ab05b5b76ead0334ecc1d8e9c966e6920d5a01dc626557146b01a6acd

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
88KB

MD5
b8a19d0496fedc5610fab80df51dd511

SHA1
168addc8f8190829837fdf9aa61f7145b0d5173d

SHA256
ad523f24fee6891ebcfcf729562f0d6aac432834f42486e8d1b8d066fa907eb2

SHA512
1a123af2ac32c2e1928b770f664d8b8cd9258d8f2e0f4ebbd3eac50141212101d65946b6eb7076f3c5d31a1ff8eb15cbde0472ccdd67d1df4c682322c46607f7

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
88KB

MD5
4b6bd5020a11281ac10f49fbbcc6a7b2

SHA1
bd37550b6f56ad2b1cd823743d25dc2e1a563692

SHA256
48df1c183cb87106f0f6d7e8c237f0e79abf1883b7daeae4a90be57f67035a52

SHA512
a1a93deaf58a78436d6d4244e0b37e399e88d5e4d79d9d0295effac667f0e720b965bc086d680e01f2ac185040674dcffa3f7d9252b14e8ba1ffc1d4038dc5e5

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
88KB

MD5
dac30dd31909440faab52853753a9a70

SHA1
90f7ddf677bea7504fd78f5393295224b289448a

SHA256
94dae9d8d5c11c76a09aab9cd7ce6557d830bddbf23fae8dd34bbde30859cb0f

SHA512
f4346774a38f6220dbd14a85b43b6b453c2109cc1f303ddfa3f040a35004fec256a82515c02fdb5af43a7cd5109f66c2bb292b35a0d9e3a700c14a2c77426aef

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
88KB

MD5
ed0b1e4cbe2d4c732aa77a0799c6d997

SHA1
483cfa36cffd0e8d1b533e5febb6be4b1e54cf11

SHA256
ae7a3460547293dea25b282dae53068107602a43245487ba15ed2492231e3487

SHA512
a5dd7442d44943aca040baf043ab063df1ea65d9a187b4e36d961deabd1f542c2719809e33ea6074372e2440462b10205f897dbf1ae9f7125e77981503bdc328

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
88KB

MD5
2000ac9a513840366c1c0d3d55680ed9

SHA1
15a52a45a2fba2225c1b475617938db6641d02f0

SHA256
244d961f5850e26b826bd1ca0577cc61ad30aeae4b4ff4d2767dae3547d8ef08

SHA512
ef1b795013d84ae9b59eac853e5685110a630e23091c4da22ec0db8182cc8bcb26f28e1365c4fbe41c456af49235b9e6b790e26d33afa6965ffca61cef386071

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
88KB

MD5
856373a622c77f990d5604d79675eb1b

SHA1
17fd1b6bb2ebac075d349763ada969a360d01a84

SHA256
6c0cb201b9e85b78295fb687f72d86d7afca79793c131630acf12a25f0ff54de

SHA512
1185e6fa9b9750d203baa3e419ad155273cf949329625662a3f437804a954890142042240a3c4140b803d43701e0aa7168016507fd4206ea0a910cfa5fc2ef92

Download Submit
C:\Windows\SysWOW64\Cdepma32.dll

Filesize
7KB

MD5
179c8a93848f884ad7a1c9e5511409f7

SHA1
b9a7b59b98b2c37b2934d5eb27116d991d9c8a1e

SHA256
ff3843d1eef8bd1422354c089190936acf39e466da6546db285733f5ad47ca84

SHA512
5f79ff84a6306af84f30d23690112e6f558758566991e209b4a52969eccd8721f5ca59a548d2fc9cefb6d4a0224a0580880d8ff0de46356bd58cf576052ec2a6

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
88KB

MD5
46131ebabb5698b9c41642fbe06d79cc

SHA1
03edd4a690986f8daa24a5c6b6cf3ffd5b86ab37

SHA256
ac1ef4b3b113536ed06a1b92b36f78d232ea77d837238b0722ec10c0a4c29719

SHA512
5fb3c1ea22a66016cdaa7a12d5074b449da4314b39adfdfd7d538fa47453bbf4c096dc7e4d61ddac078fcee722ad225b5c21a1ca28efda17c6b4c38c0a951386

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
88KB

MD5
18d3131c8a6a0c237da01e6ea9baa02a

SHA1
6072f13e3b17ce3cc6e6abe27eacc08e31f88bc8

SHA256
b97fdc97cfc267eaeca06afe4963841c72d353031e24054b4e224be48ff8ac05

SHA512
899c308736668426623f576c514273d73ce00b7912a655df8f40431c411be8813e5427a3fbb061d5b079b6618b7eba591e97a02577e939c0c829799292627f13

Download Submit
C:\Windows\SysWOW64\Nljddpfe.exe

Filesize
88KB

MD5
95b4ead8b23dd5b9753e87ec186ad559

SHA1
a6578cedcad35ec75af553411e276fc412306ebf

SHA256
c6b7490acedcf00560268d4c016a96e911cdcd551f5c07e4736baa6500cc3774

SHA512
6043fedf1ca47a5f5a01df06e05ef57fb01d03be78a9a4dcb4aa0426ff987261bd2f4d017eadefa37f69bbb13b6ebb5197e2773c8e9e6bb4c1a8fbe56886cc79

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
88KB

MD5
68ed1b8e7f094400d3edd3284df38820

SHA1
80d81ee4750bc2c4f0d98a38ee4c7d2bb42db6fb

SHA256
a8fff62ab387bdb8135b3f4219864db90b629f330291b6c9ab2a7ac781aa6c70

SHA512
15f87d519ccd5ae74b8facae7869f08f6cb2c91845a8d6cce7e8d2192da3ba0df55cdbfb0c02a1d5e4af9ebc42dd80a1b618cdc0840e12d8eb0f2d58cfda8b0c

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
88KB

MD5
0bcae9bade0e38f9d449906cdfeec232

SHA1
31a73d23c09a0bd2c2ef7d2c2de8f35cc86b0482

SHA256
52ddf046315d63505d79f5b97572af3c206591e1b6950fc0dc2c6125a8507963

SHA512
097a2b5560172fa98edf6539b7c69b5c303a356a5fd7b8c89472dcf71cfb9051c60c1eda2995d947d70decafe407eddb8b6220a2e6d293c00f5930f5fc4a32a6

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
88KB

MD5
2683d17fa7909e5280e561030d9166e4

SHA1
0e29b4d170dd9dc39f01bfcc2c625ece26f2d2b5

SHA256
c75a93c8cf1270848d3a05eba0ef68c1868009085a5d2efe070faf9cc576c4e0

SHA512
a547ee1462d1650e6bd451e26e60bb22bd5f887d420c901a83b0d217c6866dfa189d5fae5e9876f060c69eef17412a68811f367f91f4dce4243106f480082d40

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
88KB

MD5
bf22505a61742a99bf3a794a7314f24e

SHA1
764b1603d9ba080af8105a5d4693cb721163583a

SHA256
e6be38fd5f3eb76dc28439fa2bf61fa7326f1ec3260c86e64f9e5d9034c6e8b5

SHA512
a3c40e7c89d6603fdd63ab311d1ac8f416a892eff177d8c5e12deb3ec2c819a1759084f234121c3cd4c8502b8ed0993c0b786294da23745539f5d70dc9bd044a

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
88KB

MD5
7c7f5da674f61d11317c565a5d91832d

SHA1
589889bc1d1043884f803f8897c462d6bb0ea901

SHA256
dfb2305d3d98866b9184b67a1fb77ccd0bb2742fd05c55c753e0694755d559ab

SHA512
4d7d00ba97e6ae81b668b3e1531ada077a678731fa79e1b26c93049e70294024a0b622183b947beac7c483d0963142c74dfd8b07ce7635658385f117d52ee840

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
88KB

MD5
fb062e4390ae08374de6265861ae94a4

SHA1
6a71a9179adfa59b90a8e9a880d3c9db4c698a65

SHA256
01450ab023fad9b6291cfb96ab96fa44a2e9125432a121b3bcb4766a6178ea32

SHA512
342356ccf8c5f86052ba84711de1243253ddf203ac688f208980de462f3c3c8b63f5f7f6e0bbde0d4d11166cfe852a84cb8d1d92fd5587d298d1d3b5d5bc678e

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
88KB

MD5
9581f3495091819ccf25ffa3be0b9fcb

SHA1
86d4471f30c6a70f3117f537a465601b94b3d46e

SHA256
633a4bbc8f3d33e6b144684fea38ef767248e449cbabbabe0144c20001dbaa19

SHA512
e70be67b308c3ff06298e962c07eb7d10dcb2a4b72d4b35137c3edad0972193aaee4ca360248819234933cda3012341c71850838fe52a5eebdc637de09edd1f1

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
88KB

MD5
57d4e4601a4bf0d43cd891f58ea57d04

SHA1
870bb95fb1ba25cf8333037f6cf13f0cfe4e7068

SHA256
b4521a3950ce4c4e654ede4125d29a65cb3043c1ae5a94dca45a028ef66348f0

SHA512
03cfc80648085ca658068531b0b683f46939d9040d821c03fc3dcd84801863e59015e35eb8cfa90f8f9d3667022cb7a93ff3df38a13f08100d2268c28ad250e6

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
88KB

MD5
38dfbc48cc20a6bf267b3d970d64c82d

SHA1
7e779999bfa285e45b9dee65359c6a7748ece828

SHA256
b7c7a83316c79531dee406aa47b035080458b42d30ad57da59df41ecc5eda753

SHA512
1d248044b9b2b1e8b27cf56b14745e01adf854434bb3abc8c29f3469c40596a9a258a57d3ee9562a3fd7684389cf6f44acc607e749f6b6262c0fda9baecbb8fb

Download Submit
\Windows\SysWOW64\Nkmdpm32.exe

Filesize
88KB

MD5
314671db17336ce31afdecb2cb7ff572

SHA1
2c921c5dd24c2fbc16a6632313ef7e7f517ee29d

SHA256
1a52b0cea87af211c414296e67ae357faa90bb1b534150a34eec6f480f3c1b94

SHA512
76d5f826887ed67b3081ac7cb1a85ab6b8313f006f942386f89ca144852c5d2586317cd9beb1848536b7278841dcab3789951b277341bf340979e5c03d946677

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
88KB

MD5
9157f71e103b93dfd5acf3ba59f7c85b

SHA1
11cc2663578c178a3aaa04df9101b0a00cc09bb3

SHA256
3a5a55b9e2bbdbcb876cc4f2bb9b9f1b8e502fc77d508729184975ca3476a471

SHA512
f978dd27b1d0599e4e26752f07e88c36a51743f6864a41169b33fe6ddf9f6b1b8ce5b0ec9cd62ed902a2ab43e1e6ecf238314437086fab6158a4da8679089bcf

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
88KB

MD5
4301bb66e479165ed8248a3ee590be47

SHA1
62e37aef84c5734ee7277c50b8a3a9a716ebd38f

SHA256
fd45b52756a5f8dc58834709c702dd8e1f9ed271652f8b935e95b36558d94e7a

SHA512
d2a9ae1d3a99e6727d7141a3c14d31311eee17fd265f6930e117863cf2673519ef5f3428305beed4e01d865fde69e9e994f68b5adcd9b669dd0619ebf02f821c

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
88KB

MD5
98083181af7551bd5373eb972e2e58e5

SHA1
c99401c9582a555eb0e93f7a548995ee00fa656c

SHA256
4321d15f424f14c456ec1820af4316c781d74f863c46891bbddd58e67f94cd41

SHA512
fa55b14983c3bac41e5862fa12876a1fc7dc09a0646a261af62304e53347119c6d22fe1a79da33e8efbc80e50fada610a425dda17225fe83ded9b71342ae678d

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
88KB

MD5
bea4444ae3e85652bbb4c8444fcf5a20

SHA1
90d5a197da8d1ea18b6e50eb9adf225968219523

SHA256
1471ce457c0524b35f3e8fe93dea88011e76fc5ffdf0b25d31d15447444d66a4

SHA512
86edd259da03185c56de571b9a075abfe16cd657794ace14c8517ad606112214a65b21cd0ffe0a48784d340b9b7f4ef6d204b4f8ee589a97712ed819787a48e5

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
88KB

MD5
656dcb838c57330b844074908166b9f3

SHA1
df958a5ec18c401bb96ff898287e4dd01b044812

SHA256
380a7e8a5a0038c13e3b8c30c81d70c4f80388956d8671621dad77d577257024

SHA512
41b8b7327cf6dd8edb5f1b814232233c647f4f9821bbb33afc77939225515140bada2d5e8828906c1f5505c74581f5573d41390e14c8014bf5454b9294c6c745

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
88KB

MD5
7c6644530b2029f9db0ed9bdf24a7383

SHA1
e20314396a9043a8099ac3a4ea44526dbe46f324

SHA256
f824877f38f673b68e2e486e4bca626ca629301a7c93845b04a288976ec3a3b2

SHA512
a68b67f0b4d2f58326ee92411dc9d6c32e032e8bf75ad7474ef5f651d4b3f54616d7548cb9c34a3aa291ecd6493bc27ba99dfe6e9de2fa84db09d1784a18f20f

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
88KB

MD5
65a825529808f5bd31e969c9007cbc7d

SHA1
25dc0533ed9ad1e1aed98d2b284dd52ca90f6224

SHA256
e05e3b82f34738ba9b232e93ff33376ac56f4e95fcae8dd759be8d114a531052

SHA512
c9787b12f4ef4de445c29e0b306e9060384269bf33ef80f31c76a6f9d4797e2e36162e4d74dc3def46fc85a5b7cea9272b801fd833883929c36f14c6cff9c251

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
88KB

MD5
b80d47d12ad3ed3ad4f0fa48f5c3d3eb

SHA1
836ade305e0089152abfe383312723b0f7b1b92c

SHA256
beb57d7c04ea1e5d33dbe285644158dcda2ab336a08faa92bf1d1cba0801d7d8

SHA512
d60acbbad39fe288aa9b50db5b0f8635720abba4a11045f79685a6b991c91377a5e7480fee08b191064c155fe118ac9ebd78746521cb5f1deb70fcf4ecf9a9c0

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
88KB

MD5
37d0e60247d8e93d40f180633b76b308

SHA1
86e2c527eeeb65795545c7561d3a8654e46707d0

SHA256
222a0b7ec7d4f11e1191ea1b250fc0ca2ef7d6de183d0d2dbdb7bc1cca1ad332

SHA512
61c99327cda835bf0d4abb685e6b25394dac991702e5dde7aa7043425fa1efb9f94c41f58b79985ee962932db725fe2070a5807c8baa67d09054c860103b65cd

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
88KB

MD5
f9f0efc0505e3f7249703c328d90867f

SHA1
2b002c4b67d0c7fb64f1e9ba56b27a4bcd7661a5

SHA256
71a8bbf099b78ce38e90100517d15201b1a8955aa40bd49226e65b614da7f8c2

SHA512
c3a3a6053703c7ff3b78142482489a15555cfb3674265591f86ee38e4aad9484cc172122101f9144eec95b0965006bed04605437ee429f0089c96a75d05df669

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
88KB

MD5
21e6669305fa1b8796c0293f24cd28ec

SHA1
38b1fea7f91da09184fe5ee604b724b71bc5349f

SHA256
fad98c3636f62816a6981381b09efbdbcb81fee26f1f6bdaacb765586eb1df7a

SHA512
329be69c116be239f2e633a4914244a21bc09157f63e6cd137f443131a2d18b3ea95e56d28fb385bcfe47c0c455c344b55c7f4695ecb3dd483e796deb0378222

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
88KB

MD5
948a5ebaf378de3420b2e39525c42b19

SHA1
1ee2cce025fec86d9c44fdb9d784c568a77a6468

SHA256
a9a5cf51907376b6321d14ba1c3172ac1feb7fbcde223add82ca430d276b3b9e

SHA512
4a4debc03d92ce7a80c1949465c95100d7591b7032abf7d8762a64184e15e33ce25db089cf7b557219e00de3c9f20a13c20f672fc15af71f4485e75d1ce78fe7

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
88KB

MD5
a09c28b85f1a3f7062d418823d9d8eb8

SHA1
d429e714003f5b08f3661a8ee3ab54521feee4f5

SHA256
e14f1174b7b98b14d249981e5bd547c0843a4b789e05467ca59e498b2fed6c93

SHA512
83c69ecfe68f126f8fca7eae60a8a6c7c98f94d5d08fa208eb1351fad330c155bd562843423729cd74aa4be5a8a1691823a34c00039064877eb749f3f8acb31d

Download Submit
memory/380-440-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/380-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-407-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/484-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/496-168-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/496-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/496-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-368-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/572-370-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/572-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-243-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/688-242-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1184-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-386-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1184-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-489-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1528-488-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1572-316-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1572-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-312-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1628-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-294-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-293-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1740-455-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1740-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-454-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1744-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-249-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1796-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-511-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1796-510-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1844-89-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1844-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-260-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2000-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-181-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2144-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-195-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2188-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-115-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2212-220-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2212-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-477-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2300-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-230-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2312-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-463-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2448-279-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2448-283-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2448-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-61-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2460-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-361-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2500-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-421-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2532-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-612-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-432-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2548-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-304-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2616-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-305-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2708-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-347-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2708-348-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2708-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-337-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2716-601-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-142-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2812-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-327-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2812-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-326-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2872-40-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/2872-34-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/2872-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-11-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2956-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2956-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-128-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3028-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads