berbew | 2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Size

90KB
MD5

8aa6aab7493062075c4575f8c4bc7f82
SHA1

b13e690b6049298611071814298a2917b191bef1
SHA256

2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50
SHA512

8a2531ae69000feabcc176e235205fca4204dbfb28fbeb9c4589fae9b0b4155a0bfb7f4105111974ae75f68cfab6b9b4e1f405979781800aa41d35c130e2c151
SSDEEP

1536:7G5TVSyqWTqJHwoy6FHru2c8+KAssJXcqOxL8ZTzbcJ+7zNjSKOhYXYnLyVDMRSy:iPcJQZ2c8+KYsEXNjShi6eQKNDVM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opglafab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooabmbbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oplelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1668	Nncbdomg.exe
2276	Nabopjmj.exe
2804	Nhlgmd32.exe
2780	Opglafab.exe
2680	Omklkkpl.exe
2568	Odedge32.exe
3024	Ojomdoof.exe
1724	Oplelf32.exe
1300	Olbfagca.exe
1780	Ooabmbbe.exe
2028	Opqoge32.exe
1760	Oemgplgo.exe
2116	Pkjphcff.exe
1344	Pbagipfi.exe
2928	Pkmlmbcd.exe
764	Pafdjmkq.exe
752	Pojecajj.exe
1540	Pplaki32.exe
2152	Pkaehb32.exe
1748	Paknelgk.exe
1288	Pkcbnanl.exe
3048	Pnbojmmp.exe
2964	Qkfocaki.exe
2652	Qlgkki32.exe
2572	Qgmpibam.exe
3056	Qeppdo32.exe
2592	Aohdmdoh.exe
3016	Aebmjo32.exe
1744	Allefimb.exe
2840	Aojabdlf.exe
1684	Afdiondb.exe
664	Alnalh32.exe
2776	Aakjdo32.exe
1904	Adifpk32.exe
2984	Alqnah32.exe
2360	Aoojnc32.exe
316	Anbkipok.exe
1132	Aficjnpm.exe
1216	Ahgofi32.exe
1980	Agjobffl.exe
840	Aoagccfn.exe
2032	Abpcooea.exe
1848	Adnpkjde.exe
892	Bhjlli32.exe
860	Bkhhhd32.exe
2288	Bnfddp32.exe
2696	Bqeqqk32.exe
2752	Bccmmf32.exe
2832	Bkjdndjo.exe
2584	Bjmeiq32.exe
2596	Bceibfgj.exe
348	Bfdenafn.exe
2600	Bnknoogp.exe
1792	Bmnnkl32.exe
548	Boljgg32.exe
1048	Bgcbhd32.exe
2896	Bjbndpmd.exe
2996	Bieopm32.exe
2044	Bqlfaj32.exe
2876	Bcjcme32.exe
1584	Bfioia32.exe
1308	Bjdkjpkb.exe
1380	Bkegah32.exe
2260	Ccmpce32.exe

Loads dropped DLL 64 IoCs

pid	Process
2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
1668	Nncbdomg.exe
1668	Nncbdomg.exe
2276	Nabopjmj.exe
2276	Nabopjmj.exe
2804	Nhlgmd32.exe
2804	Nhlgmd32.exe
2780	Opglafab.exe
2780	Opglafab.exe
2680	Omklkkpl.exe
2680	Omklkkpl.exe
2568	Odedge32.exe
2568	Odedge32.exe
3024	Ojomdoof.exe
3024	Ojomdoof.exe
1724	Oplelf32.exe
1724	Oplelf32.exe
1300	Olbfagca.exe
1300	Olbfagca.exe
1780	Ooabmbbe.exe
1780	Ooabmbbe.exe
2028	Opqoge32.exe
2028	Opqoge32.exe
1760	Oemgplgo.exe
1760	Oemgplgo.exe
2116	Pkjphcff.exe
2116	Pkjphcff.exe
1344	Pbagipfi.exe
1344	Pbagipfi.exe
2928	Pkmlmbcd.exe
2928	Pkmlmbcd.exe
764	Pafdjmkq.exe
764	Pafdjmkq.exe
752	Pojecajj.exe
752	Pojecajj.exe
1540	Pplaki32.exe
1540	Pplaki32.exe
2152	Pkaehb32.exe
2152	Pkaehb32.exe
1748	Paknelgk.exe
1748	Paknelgk.exe
1288	Pkcbnanl.exe
1288	Pkcbnanl.exe
3048	Pnbojmmp.exe
3048	Pnbojmmp.exe
2964	Qkfocaki.exe
2964	Qkfocaki.exe
2652	Qlgkki32.exe
2652	Qlgkki32.exe
2572	Qgmpibam.exe
2572	Qgmpibam.exe
3056	Qeppdo32.exe
3056	Qeppdo32.exe
2592	Aohdmdoh.exe
2592	Aohdmdoh.exe
3016	Aebmjo32.exe
3016	Aebmjo32.exe
1744	Allefimb.exe
1744	Allefimb.exe
2840	Aojabdlf.exe
2840	Aojabdlf.exe
1684	Afdiondb.exe
1684	Afdiondb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Giddhc32.dll	Opglafab.exe
File created	C:\Windows\SysWOW64\Aohdmdoh.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Pbagipfi.exe	Pkjphcff.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Odedge32.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pkjphcff.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Jmgghnmp.dll	Olbfagca.exe
File created	C:\Windows\SysWOW64\Oemgplgo.exe	Opqoge32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Olbfagca.exe	Oplelf32.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Odedge32.exe	Omklkkpl.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Omklkkpl.exe	Opglafab.exe
File created	C:\Windows\SysWOW64\Oplelf32.exe	Ojomdoof.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hfiocpon.dll	Nhlgmd32.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Ldcinhie.dll	Odedge32.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	2828	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olbfagca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabopjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omklkkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomdoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oplelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opqoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opqoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oplelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll"	Nncbdomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll"	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll"	Nhlgmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll"	Opqoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmlmbcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1668	2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	31
PID 2460 wrote to memory of 1668	2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	31
PID 2460 wrote to memory of 1668	2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	31
PID 2460 wrote to memory of 1668	2460	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	31
PID 1668 wrote to memory of 2276	1668	Nncbdomg.exe	32
PID 1668 wrote to memory of 2276	1668	Nncbdomg.exe	32
PID 1668 wrote to memory of 2276	1668	Nncbdomg.exe	32
PID 1668 wrote to memory of 2276	1668	Nncbdomg.exe	32
PID 2276 wrote to memory of 2804	2276	Nabopjmj.exe	33
PID 2276 wrote to memory of 2804	2276	Nabopjmj.exe	33
PID 2276 wrote to memory of 2804	2276	Nabopjmj.exe	33
PID 2276 wrote to memory of 2804	2276	Nabopjmj.exe	33
PID 2804 wrote to memory of 2780	2804	Nhlgmd32.exe	34
PID 2804 wrote to memory of 2780	2804	Nhlgmd32.exe	34
PID 2804 wrote to memory of 2780	2804	Nhlgmd32.exe	34
PID 2804 wrote to memory of 2780	2804	Nhlgmd32.exe	34
PID 2780 wrote to memory of 2680	2780	Opglafab.exe	35
PID 2780 wrote to memory of 2680	2780	Opglafab.exe	35
PID 2780 wrote to memory of 2680	2780	Opglafab.exe	35
PID 2780 wrote to memory of 2680	2780	Opglafab.exe	35
PID 2680 wrote to memory of 2568	2680	Omklkkpl.exe	36
PID 2680 wrote to memory of 2568	2680	Omklkkpl.exe	36
PID 2680 wrote to memory of 2568	2680	Omklkkpl.exe	36
PID 2680 wrote to memory of 2568	2680	Omklkkpl.exe	36
PID 2568 wrote to memory of 3024	2568	Odedge32.exe	37
PID 2568 wrote to memory of 3024	2568	Odedge32.exe	37
PID 2568 wrote to memory of 3024	2568	Odedge32.exe	37
PID 2568 wrote to memory of 3024	2568	Odedge32.exe	37
PID 3024 wrote to memory of 1724	3024	Ojomdoof.exe	38
PID 3024 wrote to memory of 1724	3024	Ojomdoof.exe	38
PID 3024 wrote to memory of 1724	3024	Ojomdoof.exe	38
PID 3024 wrote to memory of 1724	3024	Ojomdoof.exe	38
PID 1724 wrote to memory of 1300	1724	Oplelf32.exe	39
PID 1724 wrote to memory of 1300	1724	Oplelf32.exe	39
PID 1724 wrote to memory of 1300	1724	Oplelf32.exe	39
PID 1724 wrote to memory of 1300	1724	Oplelf32.exe	39
PID 1300 wrote to memory of 1780	1300	Olbfagca.exe	40
PID 1300 wrote to memory of 1780	1300	Olbfagca.exe	40
PID 1300 wrote to memory of 1780	1300	Olbfagca.exe	40
PID 1300 wrote to memory of 1780	1300	Olbfagca.exe	40
PID 1780 wrote to memory of 2028	1780	Ooabmbbe.exe	41
PID 1780 wrote to memory of 2028	1780	Ooabmbbe.exe	41
PID 1780 wrote to memory of 2028	1780	Ooabmbbe.exe	41
PID 1780 wrote to memory of 2028	1780	Ooabmbbe.exe	41
PID 2028 wrote to memory of 1760	2028	Opqoge32.exe	42
PID 2028 wrote to memory of 1760	2028	Opqoge32.exe	42
PID 2028 wrote to memory of 1760	2028	Opqoge32.exe	42
PID 2028 wrote to memory of 1760	2028	Opqoge32.exe	42
PID 1760 wrote to memory of 2116	1760	Oemgplgo.exe	43
PID 1760 wrote to memory of 2116	1760	Oemgplgo.exe	43
PID 1760 wrote to memory of 2116	1760	Oemgplgo.exe	43
PID 1760 wrote to memory of 2116	1760	Oemgplgo.exe	43
PID 2116 wrote to memory of 1344	2116	Pkjphcff.exe	44
PID 2116 wrote to memory of 1344	2116	Pkjphcff.exe	44
PID 2116 wrote to memory of 1344	2116	Pkjphcff.exe	44
PID 2116 wrote to memory of 1344	2116	Pkjphcff.exe	44
PID 1344 wrote to memory of 2928	1344	Pbagipfi.exe	45
PID 1344 wrote to memory of 2928	1344	Pbagipfi.exe	45
PID 1344 wrote to memory of 2928	1344	Pbagipfi.exe	45
PID 1344 wrote to memory of 2928	1344	Pbagipfi.exe	45
PID 2928 wrote to memory of 764	2928	Pkmlmbcd.exe	46
PID 2928 wrote to memory of 764	2928	Pkmlmbcd.exe	46
PID 2928 wrote to memory of 764	2928	Pkmlmbcd.exe	46
PID 2928 wrote to memory of 764	2928	Pkmlmbcd.exe	46

C:\Users\Admin\AppData\Local\Temp\2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
"C:\Users\Admin\AppData\Local\Temp\2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\Nncbdomg.exe
  C:\Windows\system32\Nncbdomg.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\Nabopjmj.exe
    C:\Windows\system32\Nabopjmj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\Nhlgmd32.exe
      C:\Windows\system32\Nhlgmd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Odedge32.exe
        
        C:\Windows\system32\Odedge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ojomdoof.exe
        
        C:\Windows\system32\Ojomdoof.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Oplelf32.exe
        
        C:\Windows\system32\Oplelf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Olbfagca.exe
        
        C:\Windows\system32\Olbfagca.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Ooabmbbe.exe
        
        C:\Windows\system32\Ooabmbbe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Opqoge32.exe
        
        C:\Windows\system32\Opqoge32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Oemgplgo.exe
        
        C:\Windows\system32\Oemgplgo.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Pkjphcff.exe
        
        C:\Windows\system32\Pkjphcff.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        62⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        70⤵
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        76⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 144
        89⤵
        Program crash
        
        PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
90KB

MD5
45b7738030b5aa7e140a13dcaef9e5be

SHA1
23dbbea7b298966eeff3d6cfbf9cc8819c3a5acc

SHA256
ee0cef957165e8ddd76729a02246eae1a1aa5e6de5bfc99083ebd796c7ed709c

SHA512
e00fca49036a04eeeed3946e1be0236fd7a6b4167d7435e37c7baeb7416b306261dcfd02522cbffd7bc345a19169a0497e1d4c16727cbbe50fdab34575d9cf38

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
90KB

MD5
e5f5223f6f92e87a9e1643706a20eed3

SHA1
bb7c78bad651c6c415ef8d123ee775544d5a56b6

SHA256
daed13b7b4a9148c42af38f5bba944d5b91027d6df05b72bc6cef23171942f6b

SHA512
218a84ed32847ae72bfaa8f37a1cf83dd699e08b4dc169fe5b8c50814b9aa21799d00bb073fd0163ba39a9d867208cfe9e364e7b8c13c6720e91c6af36e4097f

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
90KB

MD5
d3af819f69c051af321febe9fac279e7

SHA1
42e70b24f20b06399415bb0ca2470408c4cf2d89

SHA256
a29aac1c1baac3e2f7037d237f33b4d770376e92809eabcad62ccc68ed738d48

SHA512
a0d8194e27f224c97de69a5f3cb7a9e2ea917cdb7c55b91d985f23e87739f6b5e15d75f52b59aa8dc373f899122b368482d05c19343c77887024af64a2559e00

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
90KB

MD5
e796ad4c70d8e7e300336f757114d36d

SHA1
84e1f5920db006d7b904cee6a210567039ab04a9

SHA256
bbb1873e4a224d16e2a5a0818b0cb9bda1895cecfa3e2660cfaaf9f19416caf1

SHA512
3853483eeea7ee25deb2bcf48332f6629f0c89c7018b8949c352dccbb0913446e2c496fe0a388914178f8c550c34d7003cd6c4ab6b9f2e700bb150126a600c72

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
90KB

MD5
93669a67b2fec5eb9f460a7d6314b902

SHA1
12449015062922832908a9e1e3f3b7bce419926e

SHA256
298f0f35fd0e5f7c1eada4443111b501be44fe4fcdb703d431e4b00264792712

SHA512
c092668a0dea67f59607d8a27090d5b111715240615b72760865effcbb8eeba7e52d64c44485a81c99652c6fca60fa790c4f86d78656ba3d4e698437fe6b5159

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
90KB

MD5
fa8201a37eba7c8afac0405d47d43294

SHA1
d6bee6f9f13511d2fa561aa513a4da2de7d2ba2b

SHA256
03fa9aedcafb9175dbaaf01a869c145d20381e46156dff147c845c94ef255f5f

SHA512
cd7b54af33aad6204b37654331a6df7d65c94f63349f6784afb13f4fbbf694526d93519ae845b70b7b83d2c7f02374ec3e76e16655c60e8182507e63b7c7f8d7

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
90KB

MD5
4fc98e7cce74c679e5d48eae44fb705a

SHA1
a7d18a4c4ec63d32100d7d69f58a148d1f8fee6e

SHA256
3017f8ecf689d936fd4076f9eb5f3975daa76bf610f9d041b1161bf67b79c822

SHA512
2bc739ba3fede8923e7c1321b7705e8b1661428965fe1351bff6aa513a716c74e6c392af805bb0b8c8016c7842c4070274c85fa1bfd527c2edea1061157fabb1

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
90KB

MD5
87d18b26908e21615874ba75b4d54751

SHA1
7ac9cc390bad750392e7238bd98cc14ec54c4d74

SHA256
ec4dce18109a15465b9c5256c85ad8ec6ec8dd0e71357727b70979c2054f0c74

SHA512
1ea189705d28a7c4d760b7c695714d919c6b1165a37081c34d4fe3b1d3d6954f0eab04c50b812f36eb7aceb14f3db46da4f5d0f230e7fefc35517c05abc3b02f

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
90KB

MD5
48c6b0c673007977aecd625ef2c8aabf

SHA1
81fdf3d06b78fd0b943ad4c4df46ed662f668c46

SHA256
47294c512e2233cac89720b2be251a661fde6b521af8f907235a11e5a46ec01b

SHA512
af602cf3d20effca70e1db6f82f54965cc1638a6a2d97fec5cb72ebfe25d7a4717ca13db5c965661ec6b8954c638b6c96f5f648c313880a4b275f90075771e58

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
90KB

MD5
107d3d56f826b257a0d1386c69928754

SHA1
f6d2f7492ae61d31519d81156cadd0327de435f7

SHA256
97cad16d064b83c363a63b782ee57c16bd14638fb5ca02105eb4d59949a5b2b2

SHA512
0443fb2f4967cb92acd00213f3f2cc91813201568cb01056f636e9c5ed73411d4c00700aea7ca9441f335764c77e13f6e5672391a2ccd92cad207bcdf73a656d

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
90KB

MD5
a344dc1d1ed5de0f77a0224dd77648c0

SHA1
ca105ea5ff4ea7c23e539831714a94c905234c57

SHA256
79937cbcd393723270a175d5356a851e511762755958a08d6384d7f88c3bcc44

SHA512
5368c22d4b38da9e2f5eb9de070294309da8699a58e16bd41c0a7076f875999ff9c5bbea213a006444e038f4c80eca3fedee60e9f213686bff8574fa4c24af7d

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
90KB

MD5
f10cb3577c6de2a61e6d1be4d0ee817e

SHA1
0eb7d7d4f70b5772c69c6ab4b33355be4b54bf04

SHA256
e1c9a9bbc136250636aa5b0f0976f7444847c988a64b3fbdbdc2a4af09fc113c

SHA512
d852dcfbe002b3adcee6cf18fcd73796876231ec1d6fe5462fdbbd03aa39519840a743cdce755119edc7eef267b5dce3f5af50a80fb71b021206df0e19154f1d

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
90KB

MD5
71ad8f9f1f04511aa6476cf097aa7f77

SHA1
20cd8d1f9e60a79bd69ff9c2c04c73dd33721ef5

SHA256
bea946f5db685cd681fa169bc3e9f9881d0bd03517a5ed60472e75b22a2d4e02

SHA512
46c1cb892c77a09311b3c8de1259b7a93d03baa56a3939ca5d4fa8950b7dada4618e2ace000683e0a1369bc2d7450e07ea52eaf9d10226d27db46a67bee72830

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
90KB

MD5
07922dcda5a50e6f1c34fd2b942b2547

SHA1
88473311dd2b4b29b92f1e36625f727421779eed

SHA256
8125ad2faf42f8d58056df1fad4357eea3abeabc8fd3d8791ae3ef327317e750

SHA512
79ba971f5bfdcbf3037ff1610500e16adf58f847e5bbd3bd14f980f22f9f0c9a8f84c4dbf6cd8461e6d7e8e640128fda0a0f54a1d2a0d0721759c78570da3c8f

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
90KB

MD5
94c6a9d04b094e25299b51a11b0ee115

SHA1
41e0b9350cc794823f62f2f97c63007e897cd3e6

SHA256
7d7f7d0453110201e4f884f996bfead2681fb49ec0a07c1f6ea2851ab7ffbe35

SHA512
199893288e03db152a12183f334f4948b15f424e6c51b607a1fc17c960858da860546267b046d42bd8369b8a1808af58a2a1546a8394f25eb2161cc678a3eee2

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
90KB

MD5
743cdd2339da13f5f20a85d2e1d21ecd

SHA1
1dd808ef1beeaea83385ec8d9dbbe18c54138c4b

SHA256
159b8707a15995bc89b9cdf55784dfed4e61f52366da583a6c4dcf45b5f380ae

SHA512
2ed5ccdeb3b2a2779b1d992e938cd47f18424d0a562ec178f10ed23e33429a3d627111b93b5962cede6d9f56927715b2a73c16d7830469a74a79d52197e22a4b

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
90KB

MD5
a0a6dd3f60576d4b17d7040dfffc589c

SHA1
802694e8f1add037e0cb514da3ef62305f98bb6d

SHA256
3518bb50ea3074a66484a80f9d874d73fbafec08797e249552cce6c1f0713b03

SHA512
b9691427166e805495dccf2f80c6fe728041de8b9d0a1b19ff8510d4994f2ec1823ece6d89241ae2c02dd656932e0e5f751d65f10ea5f70d8fb9ee5402695609

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
90KB

MD5
81be98f4c7131962c48a15c25ab8bb08

SHA1
c5b2edac48efa74e0efe98d15070d41437ce8134

SHA256
12bc07a89b28fdd56ce8621ef5cddbc92aca92dbcf22dd5b78b71dee06524b13

SHA512
cd8456776ae067c8b645f0451794c4c42e8a3be0616fd0d8c30cca1832111f98753d2e7657e8f4b5fcb3edcc02fb62fee3e25d1749e31a51e2d7418c342df5f1

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
90KB

MD5
06b76d7fb0b7d556d9e7912b97d74a5e

SHA1
3eceaf2417dc3a7b2d3f9c980c919198065ea2b5

SHA256
7591b02ca63c49368fe6f653b59f97b609f7a540c72de2504cf7049078cdad0b

SHA512
f20e26205420925740e5777218b925ae8e0ab7389b44e3e2ef59c618a82d289162796031f347844a21fbfa782f6f0b6a18e33442c866f58ca2a0c06629f8c6ed

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
90KB

MD5
236c2667725986064967e9fcaa315afb

SHA1
88dde8276d62641a6e0433618b620986b2c70238

SHA256
0846e1e08739e66ef6a9f703dae5f40937bff9208d3d211a25868055fef3ba4c

SHA512
7abdacf026ba3a4602e918c46d9b8e2f24ea229a349723fa3df2b5c7ea79df831427527a6766a4a52858180e23da398bf95f08bd5766770ca855f140f7db62bc

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
90KB

MD5
a9c97e752636c2c38350c8f58dcfbce3

SHA1
6e32ccc0ca4f756158dc9d50d6d9d40c0b20d4ef

SHA256
576097acd98d44c7d6a17ae727ea0f9b0a12a7576f03025cafd9192cdf82e078

SHA512
73644f2f94d854a4b597ee3c41a056dfe6cc13fe6e2c2cc4de33b53ff4cd0f3b4dcd40d7eb2d143725d84df8365a329e8d1cc9ed093def695039a1491567de91

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
90KB

MD5
24dfae083a2ce88c11f2aded22664f21

SHA1
c9728bad26cb4b9ef3434c334138baea7c1572a4

SHA256
22c07e2ae913316f45f3c9080e63bb79f69773004e23d36719aa9e285ad64def

SHA512
efb26ef3ebd5f37ac9339f0f7c490c6a2f60f92bd9d1116bc9dcfe52df988fb1dff8cfe73613b943e6105aa338be64b258dcf0ebb95058b059a17aa096660e9d

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
90KB

MD5
1cf27d043ae6180f7df8b539be0e54af

SHA1
46d90100640b7e82abc0c0cbf2126e4d54270fd8

SHA256
579c82d517ab9055ceb4e94167c529d3652c87cda8e82e9a4657581f78d1a20a

SHA512
837879043687d81f094717f03ec9f85f62a4f3a348d7b13a96c89bc0f2bdb2d5ec160c5df03047028233c5281692df3710307edee7e67cb4e92ba1a134651f22

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
90KB

MD5
68d7a92ecc6c10b3f0ad4240d41176e8

SHA1
fc6287989f058c1db23d360686521859c7a31764

SHA256
991214d61d871718fe05e8fb8c427233e424e4f01a937284a447a3def0c17a47

SHA512
c5a901ff2128ba75ef4c20a9199d6b70c63cf5965003407b795375365896f004904b6e82f347da46aa223b347a4c671c1a1cc902a54a45386306f22449f3972b

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
90KB

MD5
ccf77e5fe6ac126dfcbe5d13bb3637dd

SHA1
06d030903b8588309db45228e9199b254c979099

SHA256
54f3ebbfe1f4178b7ff5b729cff84dc0f7367cbd14fa5c42231be1767a095276

SHA512
066acb85d5be570af19dfbd5ce6ba5dab68e69fff1f68017202b6cbb785d9275f6e4c4ee6a7f3f8ec702605e3d26a49c4d0e43a41dd42d25cae0550db65fa532

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
90KB

MD5
19121a4fa322aaa8b2e4d558d76d406e

SHA1
4f2a93edf85a2a489e75cbf35eb4a399a04fe7e6

SHA256
84b0e091d8cc6f692f5dace1c5d14defd80df7d2d460330d09b934ef9b6967c9

SHA512
bdf14784e050f15f449da87abca66d649ae4cf44c958e2d57ec8e232accee336a559474cfcaf527200f98b7db40945dc9b06186de84165576ad8bd584cd96fd0

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
90KB

MD5
969f75ef818e159508c3ac2ee5d0620b

SHA1
a7be462a4f658b498172cb722788ff2a83942b88

SHA256
da01b8c1083870e784395827f7eb66148a6b2ecef56f55a757d46d13857ed7a6

SHA512
6a10f088f4ef466d62c039b05d51e9cca460e516c531dc0e20ea92008465d93fe716774613cf58aa3cca45e5758b6fc4ba4d1a4e48c7d721036d8c6017e9eece

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
90KB

MD5
e14c769e428714ad14399ec978970380

SHA1
3052199b3c7fc284f1c39d0337f768b332162bb4

SHA256
1724cc8fc586a9f6f081ced5930f01446ab8795b2b9b7631bddd0aced2b12b87

SHA512
aa50e4082a331a6ae6018f08ade4507cffd9cd8b21dc78d20cb8a3eab8bbcaa4fb0f5828ed9f198e035a531e9bfc7f2a0338744f4f4db0b574c3d88426ea083d

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
90KB

MD5
7453d7e9a97474f66c1f44339b765716

SHA1
8081edda6299138e56c454d8d7e7b32a89b7f789

SHA256
b42e66a8dac1b49442d68e9360aff0c669efaff47e7b28229a46334ebf5e5a4b

SHA512
17709b11b534f6ac4d1a23afdd99a787bf7448801c5692ff1621c0a107aaa68b557c3ef0c75b616066906534ab5b9a5bad1a46bc9c5b26d4c459a1ec2315fb3e

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
90KB

MD5
e637f228553e6fc7e03f9f2ba5ae2e63

SHA1
6c50d4624f802476da1934064430a98e9dd5e7bd

SHA256
6a4467dc63fba813f648798802b15f19c5cee12edf317851f7de6774af641dd9

SHA512
8a437c80daa858ca64df30da34ed2d2994077df49e693ccd3058ef5f664cfce5572fea4e9b07cf70c8c8f34b931451a80227a6b6c7ff950b1e418d6e1c6d65ad

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
90KB

MD5
dfaecc2815160a44874c76779a0bc541

SHA1
70c9fc5c7913b49b40d3f48ce0b530a2e4173483

SHA256
4110b25eb1bf0e8360319c50359c8819b4387768948ea84911cfd977bf360308

SHA512
762e7793c277794bb58e4bc606a1e2551771e346df2a52e4a2a5bf35b6a96c219e292aa76d0c259062f598476d7062dff046339febde199d0f07b8beb10c375d

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
90KB

MD5
869056be4673428eae05279482a65ab1

SHA1
f87e12d8e6e6383775add28987356400a35cac93

SHA256
f9da5cbdc6a007914cdb7e9cffff8bf4038d41a92e787f48a5a36f8895356eda

SHA512
f04e600958682141306e24b235c0236dddf27b3b552e0b8d55376f9ee611ce626f17ee253b07f31cbec39f8b1817a81fb10fd97fdf6a90ea4fc474fd36180a0d

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
90KB

MD5
df4214f8a7ae923cefbfe21c4a119cbf

SHA1
3ad9c08956c02bb46d27610ddc0ad23e36a7f2de

SHA256
f181cc7f159debee2232bb2887d21133dcf075c8b98a3092d3282e55f0f80d20

SHA512
1e2577937fa7ad11b2e1e123783a91ee12083051cd2d6f1d7d3c5794b9e93b880fe9edebc9af0cf0cfaf99f1a1c11fb3340d1790681d85f4b2519b349506cfa2

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
90KB

MD5
1fefe83f4f4b5cee57eb3d935f7cdeed

SHA1
a3d6a0d04e1a98b6535fc2601f923f9d5d0930a9

SHA256
d062424b3fc3399b22e63914cb0550c26bd74edf40c83251204ed9535b2dd136

SHA512
d822ed19936b40875343e371b5ce5006919720876a8c0e15b4692b153b87fb753121233b34a5889d37e086c357edca403baa2500c1d4b2b44ac040d3127ae2f1

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
90KB

MD5
0f20f431c04f3350ced29ded8e236900

SHA1
3b499b20ef1a7615efef6b95bf0bd59fb67c201e

SHA256
16d5f58c4650673948914bfe957eeed7cfaf4d10c883753d0d8a4edbc6ac9401

SHA512
8fa94f567c58b57c85651b429509191b11dd0a6cc41ad509ccd021951af9a67568e828600895876a7709ac286d0e9686c15c2c9eead4fbad25fb0c3cd2ed24f2

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
90KB

MD5
5499ef59e5c9d0cfbbcdbb64c10d775a

SHA1
5e9f79bf5341875f3adcfb2cdce13c9abe6da554

SHA256
4114c666d75317d248dbf792b3bb57fc12a657033b9a08b5da6464315557b46f

SHA512
07f3546434c3fef98142112a31197c2c9ed55f4e588e5aea8796bb651e4bedebc78457bf6598fe62475c7893011b6999b5891d3a2fc0b14ffead19b6e8f88107

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
90KB

MD5
c5a348730107a487506606f5826a84f5

SHA1
04f9cf559684107d8379dc6d093acfc8ddd7960a

SHA256
812e2840cab9614638bfbbe4a962cc509c1cc1dc43e2b3ed0e000c43bdf00b4e

SHA512
d1a408960ad11da3dd65f21cf37c4483da815645c74210b8b0a090b7745ab539abfb1d7200590b820a8d3162b45045fd2764049bf511d3b44b8f40faff88a640

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
90KB

MD5
3b0d90e33f06f9f2a7f745d49c2b6bcc

SHA1
f35770c8fefe1ce5581175219f95844f6fbaf9e2

SHA256
185ba28619d14792db596488d2f7a6cef5b85e1925cde9f6996882b309067e30

SHA512
cb63f55fa7ecc8a188fc1093361adc15f11c34991401936c8db51bfecd627f668c4b02ee0195cdd16285e5238f63138d5cc3e052cb56ce980a9cc21e6abc5b9c

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
90KB

MD5
cbd6eec0b1492de4a8bf270de57ae68d

SHA1
a907d768405895efbfee0ee5938eaffb961173db

SHA256
f560c552e6df1d8bd69a42b3f1fb3279c420fd47d28cf6aedf15766a8cc3195d

SHA512
fb42f499462710ecf16e46c24d7de59a67050f671984f1a6243d15cf56938bf0104a360bae57891bd21cd2d64b600a88d5eb8d100e30b9c5c1eeb5192af930db

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
90KB

MD5
f88dc3ef809628a47a57e38a9ab8f7e2

SHA1
47306082bbd4d2e42f9abdd0a725646de201a5fd

SHA256
2ae853cf70999d76524ddd9da0cbcc5784fff7e32fcd95ff4db11a0a2f0db5d8

SHA512
02cbf2cb371caf8d9f2c2d73597938eccf74eea8bdc3431ab9e784c710db1cde9b96e55ca214f4d8d2f3830f27ad7c2a9a47cf1a3d1df652e7d55ba244f2a3d2

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
90KB

MD5
c0890c6d27340cfbbe7d62e05c2b67ec

SHA1
90bf4dc155bf82b26cd172de9dcac3bd0966c6e4

SHA256
0c546426bc77f5944ce89fba260313be4d2b95c29f6362df20dcc5327d4002dd

SHA512
66ac93a3e6f8704201395f0da4fce46a4be79b1eda868128101a95ae0a18511096f067b6bce09e6c8e8bd7c56284e093b1c2618f7c84422cf3e3f3f0141221da

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
90KB

MD5
b92d42ca9bbee617132e77311666dc58

SHA1
74fda2a2cc5c50f201a31d104c3cbdcb360a750a

SHA256
a41e3f59ebb706881dd278d044b79b5ff3669036acea1bd1d9c29222b41dbf9b

SHA512
5d4f32fe8fa4926ba5b659218a360702b25f09bd57882c68c2e1840f1638edcf4a58ff6f92305ad9981a822722302860bee64fb0025b1559542f89c4e45f781b

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
90KB

MD5
79467b0948d9b4a8faa335838b0420a0

SHA1
a79e8514c911adfced47f650c43345a0e3aad5f0

SHA256
5855a2d8202fcb37b904ca98e537c0387442e625ca9d76c11683cd8dc32b79e9

SHA512
8ce09d0268abb35caeadb6424dab15d51b5b4df34c4ff4e4bc19038afb2ed8ae5bb8c37b0116feb97d96e425df2b55b3c072ade31df45d09ed8c79b51b6a3de1

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
90KB

MD5
7f6d9163352c2c0a7e731192bc575b14

SHA1
4431e51fd397dd497d2d4691972b186d2b7d8678

SHA256
9b2ecb76c6ef04a3518f6d421071a696868ac92c37481d717cda49c00d8c2cfa

SHA512
2438945afabc270c6bcb4554ed39d8f448b5b4143b60b163e37bf2f69fc72f6cbe05709282b796f9c5cb0ac4117ade73b779f605dbd93f9ae8fd4b4d5836b2cf

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
90KB

MD5
db60ea11a942e0d1db915657c2bc723b

SHA1
9158ea0eabac85df62b55fef7897f09a61159e93

SHA256
74e8770670207f2fd4e0f91de1ff7e86c78f75bfa79973f1d7167f744a7bcc29

SHA512
dbd77847fb769a9d3f0c5f9492b6ca414cca5d6048c0de25cc8250eebe5da46027709dc0be9cd30bb3467857c914248ed41e7fb0f411f49847ae4735353ea493

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
90KB

MD5
aa88d6cbf5c80fef32d30b090b398f30

SHA1
9b13569ef452684ac7cb579fe236644953cbe6ec

SHA256
d3abdd26cb886f4d7a3b2e22bde2efc4677c58506a6a6ca29f09fc2903627834

SHA512
a436a7a59ce72acdfc874ea05446b25778cd18534e99df2d1f2cd351348ce261b5e4dd933843ac3f55583b40447ccce0f91714f0551cad2f8a36f743f9f69a00

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
90KB

MD5
a7a6ece07159a834fc59535e965a8962

SHA1
9dbdbd66469d30ec09590992b430d94f7b10ba9d

SHA256
3edb2cf04a5ad4f126d8ba142b23808c081b9bfd5e513850ea91e1daa799b19b

SHA512
8f51f98270b4b448458d5c2c653acb9b6eadb792c599662400b6761dbd348bb8f63dd01fea0370654eec9b41d365b228a50f2d1dfb064292ffd88ef795dcd7a7

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
90KB

MD5
dcec8aa209db0a36a9d039ab3995fe86

SHA1
72ef01d5e969d4e3a8255f0612b4902fcf81df98

SHA256
eb664a2bc796d9a6614a02ca2241bcf9d1a9f77724f0c6ab42d9a1229f9f79ad

SHA512
447b9d55e946970f09a75d218184ed72c9d469d61e2954c6a18f3ba78fc3ebda3bb227eba7ab52a77537b8344136c95dcd43c8bdcae86b3b842f988e85764c76

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
90KB

MD5
5e057f8cbc0f8d896f40ddd348b88f26

SHA1
1accde2b5c546647885a1689e20c6abdf6bafd08

SHA256
a65a719f867a2979293ca36c321c514f5758beb8e4865cd444685ae3d6cd9fb1

SHA512
dda0b3c6abf27085bc257f9ba5a200cb32dba712d99dfa6307fe8bcd9090f5970c39ebec98ada5b6ab2353d1d6fde509db5a0fe533b34ffdf0d99f060f595816

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
90KB

MD5
ef1d06136868d39b16d85cd8a4ddfe73

SHA1
b0c5c91c25da79a905dc38fa3fbf66f0116198f1

SHA256
6154497edd281fe0acc2a1ee46622a07ddbabc76ed72c99c8f81e3de5a287e68

SHA512
cede1f08a9d7afd856138ef74fb5ad696c0c761bfad4f0818bd377202bf4346a0e1f02573f8ea4ad1cceac4a62943c94edd15abd2317b4e745006b211bbaf5c6

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
90KB

MD5
8d4b3b7de79e0ca811a8ccb9eb775c6b

SHA1
593812096c382d618ca93e5bcecd157e9fd02dda

SHA256
06b80aeb2f1948a20c89875ce0be94bc136ec9395328e4db904ec1c0843a07af

SHA512
be065aefd5a1583b80d81ca34e1b089e907e5061fbdd13f7dd7c788963917c28eabd7c908b13d6dc7786c6e99cae12dbdd770565e23a824d66c04c02aa677131

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
90KB

MD5
9756c18192b4d0dff4fd10005183271d

SHA1
4bb564d38542b09b55bd6a1f7d65fdf9d8e62d90

SHA256
7666b5cdfee4483b0166b6c79f19125c9a623bb7ae139c7b815680d7d64f4bff

SHA512
82c4cf73bdb2fe88eae1e67a5fc479cef683ffc8f81a957cfa7cc7d0cc8ca8a4d4c2fc54bcb96af6f0736e50f3cbd5bf8c9b49ad357a8f35b0b54b397c501aa0

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
90KB

MD5
6f0a1e308fad90b582b399c64c055e8c

SHA1
4e9e883d17a825087504171e14ac1424fa0da2d0

SHA256
ecf7b2d0bb229723cec557b32b670e19f7529fe270c43fd543093bc2e6247fad

SHA512
a0139a902fa7b0fe78009f0e3a8e20f6fc3c4be87d1401e6b34739e16923c9f9f3a5027b90c00d1d9d0dff19a0348e649560760a10cd0aa7c2503f555381fb93

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
90KB

MD5
083ebe8dfff4803a77c5ac996c91dddc

SHA1
d0e24452347633298ac7d146784350e75ce9fa3c

SHA256
f464cb80633007ec8cfa6d0517ca43076b63f5355165be9d0e8199d39a7ec7d8

SHA512
3bca223c69e386990908b92a03ed3a8634c053dfd314d4cb893c82edbd0c4759e16b368b3fe0266687eedb69c16f9b722fbb579a1cf8b0ae9cbc45b2165f66b7

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
90KB

MD5
67bf82c9c9eee4309ef1bf727beb9ec3

SHA1
0fa42b511269a7303ada78d962c011cb73c654bf

SHA256
f69dfc2ce977c04886705494993de5bfd7024356a71df5b2e1245b021aa3da42

SHA512
3f2cdd33a6f3ded99dc0d165f1b27fc3cf42c6be2220ed48f388718bb2a4b1932482a0daaf02bf1594aa4f0684bc7b161ef0c785b95bc7b6497f2687414c029f

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
90KB

MD5
be4c2fc796a0da7f21b1f72a899e33bb

SHA1
687823e996c10dfa73617b359ed76966b048fe3a

SHA256
7048f2697f21a98d26518353f916043d31426b7b676fb25b23db116dbcf73d56

SHA512
2f9d423c3e4673ed42e8db73e9b60f9e9e600379b3ff636100e197348003edaddfafc38862464fae97fa60ecf30316286c419a2dcaeb76ea45592c0a729b62f1

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
90KB

MD5
5faa498d01b8e02eac042bdc016ea82c

SHA1
e944f5abd2192ce3e60d7f88778facfcd6124dc0

SHA256
27af5bec881be8ff144eb978ec82bc06bb329850be93e07d7272efe618079dcd

SHA512
6f0420144d30672bc1a899f3d0e5d59a8ceb77d809b2f5bc971907c977c51d72f448ed6882a67c378b103ebfcb5fd667acaebfbfbdcc8d5169230f4b3f7cf32f

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
90KB

MD5
07c5ce10a5d8894456ba1c75bc5d725b

SHA1
894e9da8acddd0e9159e06fb8806729b4f7c0943

SHA256
eccc665c8acc09aa502ff392e910692f2c916e598d9171702280e3d85866c960

SHA512
7efae5dcfb379d5fdc85e17c792e1cacec83a0afad480b935bdd9162affec4c4b4d0b4258d03b6843c1bc80aaede1df54667a76d43ff02f7c539b0404a9651a5

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
90KB

MD5
3ace2438caf2404488e6dba7258db459

SHA1
db097844fd2abf04fe7353a5664ab36ddfcf38b6

SHA256
b823e825d1fd060f270346848ecae27f8066c138a056735efc6c0d1d22289528

SHA512
871d09a82460894fcf5682e663e43f3034dae534e8d73b40162866a3c5ca8385ce99168643d94b9b2839dff274d19678cd6ed2820702f8605d2b3093f0db3907

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
90KB

MD5
be5a505d064020326303270d6f0852c8

SHA1
d86ee3de85d1b01f8df9789e2a86dd4a6158def7

SHA256
f55ddc2c1cdb32ecb5095d7bd70b0b64f0b4b71c4c6e21dfc47e46b67a47caa5

SHA512
43de54a9d2e6f4cb6ce6d06723ec5568b4800f3320f2f1412b72370ad52814c0420674f9b67701014496073419e12006eb9ea512d790c774f4ed4887ac8451f3

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
90KB

MD5
b198275ca4d7e2dd65ec9017f0b15324

SHA1
7dc60a00544fc3e34b598840604bbc99f88f5da9

SHA256
a51b85ed0774d04e67f5f63f45fe03577d827ea6071f79219a89e2158e081ee4

SHA512
773a7a8aa2a4e434d76e2a7e550ba706b4c0d192e9865a665f483489bfc4ced6c16073e252fee9932d30ea87070d2081ba0964ce977d8f4fc50fd257aafd0c10

Download Submit
C:\Windows\SysWOW64\Giddhc32.dll

Filesize
7KB

MD5
a5362648354e6feef49192feb5edca10

SHA1
5bc730a0ebe37fe0488861aed3e4019eefdb56e9

SHA256
ad32fc4e8556dbe68f5d5e0ae5ef9fa33e412b0867e796cbe5b0fcf4c893fea7

SHA512
1130b6c830d82b1959b62f1d375aa51c7981d6573cd3bc9dfcb908a1936330ccdbdcdd551a598b0ada1b76fb783551d4c333acceb986091a8760c7b8e4ea52ce

Download Submit
C:\Windows\SysWOW64\Nabopjmj.exe

Filesize
90KB

MD5
42a3cb2fcde140a0fa7ec0a11b53c67e

SHA1
a280a3c99c64054049449b94ba7004d0389a0dfb

SHA256
94953d5e53a7e141eca98275a16fcfeb789cc83da25650fe3e1ac551523d1121

SHA512
190dce2053ee5a22e4a3d77f6dec851819770bcd0df070e2c774845e9f8f0455b56053c71fe0ed29a708330f03989b87193296fb5a8561052062b65b5acf9f0a

Download Submit
C:\Windows\SysWOW64\Oemgplgo.exe

Filesize
90KB

MD5
26c4a67271d121aebedab4064d756e05

SHA1
a7102ff7fefa463d95aa8283c1eb443c78c852ab

SHA256
510b3b3a5a5f988b5db4841fc619afd1a3bd55965770d09420b4dd87790a2eb0

SHA512
7a70f95bf010f4385cf6d79b9e82f654eaba21fdb75ab803122b18b169917e242805e4a480795909a49ff81142e5b92ad8f11d5c9e66a4c283bbaf19c72f1028

Download Submit
C:\Windows\SysWOW64\Ooabmbbe.exe

Filesize
90KB

MD5
7fcadcce1213f0c044be803dfd4d5748

SHA1
1a22a314f1bf95fa2c492b0fe106994dd56e8bff

SHA256
c9581e127f99937080e3ce98edcc6fb9d24ddb9184e969c745844aef6d977b0c

SHA512
a17e052a567232e855654ff13102c977ab95ce1fffea7079ccaff7eca41b9730d49206f3fdf82ee3e31ddd9d2dc1775d1f15c8ac9421d80a158eed72e1d862c6

Download Submit
C:\Windows\SysWOW64\Opglafab.exe

Filesize
90KB

MD5
e26ed1a9cced328257834d3734b98ea1

SHA1
c1a6bd8a2d3c51d9cca5bb2e0bb03f53316ee592

SHA256
1d52cee56b4798cdcd9d213de179c3274dbfc0cac8eff3eb82ead5630730bf0d

SHA512
969c712eadce1d692e24a1afb9fa04ec1b60f886dfc23043f538f5ac308b5f8df0b69fc2294d15d54320b15293c39aa1fa6c2fc792e437c1995e64f985dd6e06

Download Submit
C:\Windows\SysWOW64\Oplelf32.exe

Filesize
90KB

MD5
90429f231ceebc8923e397cf09110065

SHA1
2bfae48d8a6ee28103b642c5c3af4a0b442ec849

SHA256
96802bbd823298a208206bbcde137b001aeb3f523746a2565eddc83963ed8bb8

SHA512
2114b84f9694fc7c56764b05889fd2fc89d02f29e3be3c70810674a4fff5ff14806a91ddaed964bb001de6686fd187af9bcf2014f46c45248d7c32bea05f6e2d

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
90KB

MD5
d6097c2ab0c9329d5fc5ca899f2c592c

SHA1
ba1f2f7cff25ed1e5eb1a02ac7aca2bc693685a2

SHA256
849c7ca527e322e1dc98ed36217ce8c9ded0f2a223edc0e0925b846263dabb01

SHA512
fa9a3f877b4a91729279f576023ed9390f3fadc3b3d4948cdfb51b09c0de2f1f1740cde17bcf2dc2bb0edfdecf5363b21a3846b2a0ffbac18f37923dd9cc4e63

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
90KB

MD5
a463a03876ff37d86ee0e04089ade68a

SHA1
1c3e1abab8f41890e7e058707980d8cd54b90c35

SHA256
ddc69e31a0bf2b288dd85eeee944c9b05ebd211fcddc8ba9fc372a32a5f3fb18

SHA512
95536612a75bc5564229a38145b18ec4899ce9799d4e85f5e9e5d9e5436124d6d0ea8b9d539d8eaa46998283e04c02fdea645cbd95dd75838ccb05a94299d0a9

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
90KB

MD5
9f826b5b8ab2d064ed7879d43f60881c

SHA1
1af11500fbcf3377074b07214646caf527ce5ef1

SHA256
f77de5043dfe2dd401f2ecc64320841ad8f9cb80ddd02d337947d6095fc5aa59

SHA512
3ee3c9772fda1643488fac85dae4b5f2a6fdeb48dd24dcf2ab8fd55233bf5b50d719d4028c3c3c6d0dbe6285729f35e10b79e272d2d8a36c8a96afea9b44d73d

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
90KB

MD5
3851844e681969e05a2958ee4311d14a

SHA1
8720a2ac620333c19d93584f9491807b8b8e43b8

SHA256
f8cd78a351aa9bd54a9b53be4fbcbb41ca845b72ec5835b6cdaf7a9120fe7fdb

SHA512
6184a3ab375855315c3c1adf1cb3fdd2db42068c6ccf14c84ecddea55392198e84c3e4760940d0f2983a89b385010316e4ffaa93558d2987fdfa8c8fc3136c62

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
90KB

MD5
210b19b0731e61be570938a7ee79a02c

SHA1
be7ee8ecba82b8413db21487b31594e603dacd66

SHA256
a9231b866b415fb77451e6a0f11bb6aebd05d11979e1a12e30e5415dc5a4c370

SHA512
ea33cd262553efeb5fdf97ee3c8146d029fc49fa739a05395c3d4b6c28a7698f2501a76178ad744890f7ecad09ae1c1daf765e8aef0c2b6465fd4ca6e6ab9ca2

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
90KB

MD5
e9880e4c6471bbd07b0e5ccaa599ce78

SHA1
d473ec37ad1568ae9fc761d4723378be6f7407b9

SHA256
0dab5346ebe2904d9add33cd4bb7d322a1c20287d381e8d22fde1df27239198e

SHA512
61c65cecf2da5435464e5f9034a8d46541d666fff237d2b4141201269caf71edf04fcc10ab91832fda7071a24f59cc28afab390e0e191e5de0ccc8878855016b

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
90KB

MD5
f3a76132e7e52ea9dd2a2e8bd69f98d3

SHA1
b2fc3d76f94a7a74ef386f03a83b499382a3ae89

SHA256
fb8cfb78dc0b2950acbbc4f97d48c48229997bbd134283d8f9d9b5a1a5c061ad

SHA512
5454a5c38d2834592f86895ab097cc1d2ab7593d2f9b1ee75c1b0859f105fd866ea8474dc8056b3e46b68863187c2fff4842b40e3d74dcff71b60fb320f790ce

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
90KB

MD5
099e545bdb113124e41b110aa95da49f

SHA1
344fb6df748407d3dc12eb6a095fee907d039587

SHA256
badc6cf82c14cc7e948ff2b8cf78509df19a3fb7c081e7f103f4dbd9baa7c921

SHA512
ea33bc841f97ce5948aa842131949a35edabfb1d2e004560bf51908f02d6933c62a4abc8fceac5c0d339fd21d669fed1da9abee68d6c83d81b01384e4d777f55

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
90KB

MD5
7f4ae298c954b36b5d2fa226965112ca

SHA1
7e70547efdc7650bf0503f46022f97c887e2eaff

SHA256
8f9fe184d02df43ae332d888c395e6e38be6497921d6bfa02d0b2760d44a96c1

SHA512
bb9cfebfee6a29e1883a142ed8e88e27fb4b864d90cf9f67609ccc1b35fcdac9bd05abdc88110b100ef0acdc70316dd31a767d594dad502353fdd31a3c628dcf

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
90KB

MD5
8b57c2a408a04417c9fd5e597329319e

SHA1
6084d3346b2a12cb0fa094f2130893b88ac44006

SHA256
c01e667bca35340acffb12a8366adcd8a9f8a8a9ce95a83eb96734268af35fa6

SHA512
2f039d335c954bd52ccff0ee436529506a9eb271b04b5780f7f50ffe0facedd4656a986b0f3516634c073f2b14457b6a46e1fdc462326055354a9ad6e4bd075c

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
90KB

MD5
7bc5c25d72fa55fd0ad83ae839664c96

SHA1
16952791bd7b5acfefefacb4c063e03d64798ee5

SHA256
c3a0b5118873250b4c60a326eae5f3407f5af71dbf79c216974efb7e72f8caed

SHA512
d4007f55c214cea550ae9f8b801e5109848351e61a28a65d500662764e82fcfb9f1559d23ebe7e95e6b554d8c15d6e7ceca50a395a4f3006fc04b48d0511edef

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
90KB

MD5
dfa6f90782d318f53203338a1ff78f8a

SHA1
f8ea088fbabf8adbc7301b13c7f496f04493ea57

SHA256
5adefe916dafe7977a02f7e4a75e6ccf10c797fcbfc18fe5fa320698bbb9284f

SHA512
771c7743bcc222b281439e21892e7a46ccd717e433eed16f378f977e365dad207cd9e00113d9f6762fadf9c4379ae821934e8d9577d854c305d1339105aa2d67

Download Submit
\Windows\SysWOW64\Nhlgmd32.exe

Filesize
90KB

MD5
73e9e3450a4c84bacfe80ddccb4d6d9f

SHA1
980c0167354a7782fc94bdf2f777cb0fd02b3cdd

SHA256
82fa71016f2afcc708c2a00b24d1961ad62e466ac044d4362646af1df3aa959f

SHA512
bb728bfb3cc8c5a762a0a56a84afe70b1a61b44a9faba0c9a850517519164112addd945971162d94cf03669b582f5a548e1e33c5e6b0d7f2e6bdd8d80d2af057

Download Submit
\Windows\SysWOW64\Nncbdomg.exe

Filesize
90KB

MD5
3b4e9d369e7c554472b02c3ca9615c5b

SHA1
225887ae675f9929b92b5091a0b00d99d6f75bc0

SHA256
452b626cbd1b47612712c403a2a87f45a53aa69acbd8ad313ea149e6934293c7

SHA512
73d2cc72499b4c534caf725bcf73d70bfa90dffe3ae96ac6107972e2c064ba23ec3e915bfb99dca86a29d2868c6c7efc9076b88d1013b6fbe20538e4a5bc683f

Download Submit
\Windows\SysWOW64\Odedge32.exe

Filesize
90KB

MD5
2406585dc3e7858959cbcff3d0ab3cc3

SHA1
cf23c2e62e88474e328e423450f828dc1097ae28

SHA256
0ed68fb2ea9546bbdd953248c76652c11e77732e4bd0147e870abb1f9e901e7b

SHA512
a819d5f3b6fef9b3f167fc997a399a8a72c955dce99361a1e3332dcd77866040ab9f8d0183ee119b694d39f083dca2d0a36b90d8775eb7fa62b7071c2bac5c93

Download Submit
\Windows\SysWOW64\Ojomdoof.exe

Filesize
90KB

MD5
f65fc303ea8cbf28cf1a0be5e1654060

SHA1
5abb1c338d5304ab6f1a82b98171cdc6a3d57bcc

SHA256
18afb6a9143fa229230263e00f66493ef0ed04da9f4d25b7d916e7291c3d975f

SHA512
2b143ea78fe2f8066391741d0c6577eeacd9fb8f74387ccfa12aa36ac6f1ef69838a24985cb67959df03ead5c5a3ae40bec5bb93056ce3d891dd07be30a29a65

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
90KB

MD5
4e846910df15464cbc53b4db77f44eab

SHA1
7e6e772e41410f83fa87df89f2c9f838de9c6cd0

SHA256
3617f3f535d67cf887c84c17a9cade526db1ff5e5de1c6acca68b54b82646329

SHA512
545d4796c8884b0233b3e2d061fe6317392692d01f0a9b747a7fdf630f5dbb03ecda155891b8c4a403056eb57c11201b032ed59018fbac51e17e804c74df3818

Download Submit
\Windows\SysWOW64\Omklkkpl.exe

Filesize
90KB

MD5
76fc767a368cf11a65c1482635c5048b

SHA1
1e23b7b4b6053ac9e058f0ef11a98c594dea55ba

SHA256
5985886752bf4eeb234850caa827c5fa66774df9e1a7c18b6de38d2041376c07

SHA512
6ce794d9d3f4bb8cc198d7bc2ac3494558b3aec9bbdc2728b63860fb2fff01da8e3e9568af81cb5c868555ef9e3643bb6d0f09d4552cb34e2d1fa99bdde7ef09

Download Submit
\Windows\SysWOW64\Opqoge32.exe

Filesize
90KB

MD5
e6ea919e6ffa8e0631430ce8dc257c20

SHA1
ddff6fdf6d907dad36e443d8345f1a960ed6b829

SHA256
3369c63d2309e6083ecb5572235064bbcc674bf670b917c95f3f3fde91caccd2

SHA512
fef0dfffc8e6bb082b555a6625cdb4c7950d15aff26c8e5621f0702629b61772442e60f7ca0345d549d3369488a0e1075f04504e2b56950fab6952db1932ca72

Download Submit
\Windows\SysWOW64\Pkjphcff.exe

Filesize
90KB

MD5
e4423b449f98d8bf64e6616ff01a4767

SHA1
a2de15d7f1e0da842cf1e8fbb698ac7fc95e470d

SHA256
e351a6f1d895e0cfe273420e7edc1cf951d350df69afea8af597119675d2e3eb

SHA512
d46562187295e8c24587819a03ae1e49d629e9778377b69cd3a39c69323e4679aca097a1ccc89d2ff9ba3ac717b0e95604cd451b3a0195d7e1d35d3e1fa3fc6a

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
90KB

MD5
af17b90b165634ca403a0750a47992c9

SHA1
121f114fbb73ce069fa522f84745b19866bf7bf8

SHA256
5addbb3d90edebd8a8e4dd167c2b26dd350896d7cf2ea5ec8749599e7af41706

SHA512
0ac4d94d95f725573085a169bb3ea83e76a31c41c3a2dff5bc572f0f79615cf63f5eaac2f8041be76b833ba4eb1463bdf74b5adb1a491d3dffcb4725bc42e1ea

Download Submit
memory/664-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/664-420-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/752-260-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/752-295-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/752-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-250-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/764-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-284-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/764-245-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/764-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1288-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1288-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-143-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1300-189-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/1344-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-215-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1344-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-307-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1540-267-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1540-272-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1668-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-391-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1748-296-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1748-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-330-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1748-331-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1748-294-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1760-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1760-182-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1760-190-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1760-236-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1760-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1780-158-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1780-213-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1780-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1780-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-203-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2116-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-249-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2152-279-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/2152-319-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/2152-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2460-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2460-11-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2460-12-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2460-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-92-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2568-145-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2568-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-407-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2592-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-83-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2780-68-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2780-128-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2780-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2780-62-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2780-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-105-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2804-52-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2804-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-399-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2840-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-329-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2964-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-378-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/3024-113-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3024-159-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3024-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-315-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/3048-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-359-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3056-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads