berbew | 149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
Size

92KB
MD5

5ca35aab1c57870d355ef7cd41a375ce
SHA1

8886ee5904d2fefbb389ce0d6ecb15bc6718cf69
SHA256

149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd
SHA512

52169c4b829b72063030c4dd3bb32a05103a99b32e75960e0e5417b3b1da2d695ec4585fd7be7d8db084bc323539163ef561043deda546d0ce4d137d0b810a5e
SSDEEP

1536:A/AclQw9M5zX4OaFCOIBMjK9Xyhzuc/R2LHFTMQ262AjCsQ2PCZZrqOlNfVSLUK8:A/Acmw9vbFnISnhzuiqHxMQH2qC7ZQOP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odoloalf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2908	Oalfhf32.exe
2752	Odjbdb32.exe
2648	Onbgmg32.exe
2244	Oqacic32.exe
1048	Okfgfl32.exe
2920	Oappcfmb.exe
768	Odoloalf.exe
3040	Pkidlk32.exe
1256	Pmjqcc32.exe
2232	Pcdipnqn.exe
1312	Pjnamh32.exe
1928	Pqhijbog.exe
1948	Pjpnbg32.exe
2120	Pmojocel.exe
1588	Pbkbgjcc.exe
2384	Pjbjhgde.exe
1632	Pckoam32.exe
2500	Pbnoliap.exe
2276	Pihgic32.exe
1744	Pndpajgd.exe
884	Qeohnd32.exe
2036	Qgmdjp32.exe
2840	Qgoapp32.exe
2804	Qkkmqnck.exe
2632	Abeemhkh.exe
2668	Acfaeq32.exe
320	Aganeoip.exe
1492	Ajpjakhc.exe
2272	Aeenochi.exe
2596	Achojp32.exe
2460	Amqccfed.exe
316	Apoooa32.exe
2712	Afiglkle.exe
2480	Aigchgkh.exe
692	Apalea32.exe
1856	Afkdakjb.exe
2576	Amelne32.exe
2096	Acpdko32.exe
2140	Afnagk32.exe
1144	Bilmcf32.exe
1032	Bmhideol.exe
2200	Bpfeppop.exe
708	Bpfeppop.exe
1652	Bnielm32.exe
2224	Bbdallnd.exe
2544	Becnhgmg.exe
2912	Biojif32.exe
1596	Blmfea32.exe
3036	Bnkbam32.exe
3044	Bajomhbl.exe
572	Biafnecn.exe
1964	Bjbcfn32.exe
2132	Bonoflae.exe
1736	Bbikgk32.exe
2520	Behgcf32.exe
2940	Bhfcpb32.exe
2312	Blaopqpo.exe
1800	Boplllob.exe
1772	Baohhgnf.exe
704	Bdmddc32.exe
1952	Bfkpqn32.exe
1628	Bobhal32.exe
1160	Bmeimhdj.exe
1068	Baadng32.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
2908	Oalfhf32.exe
2908	Oalfhf32.exe
2752	Odjbdb32.exe
2752	Odjbdb32.exe
2648	Onbgmg32.exe
2648	Onbgmg32.exe
2244	Oqacic32.exe
2244	Oqacic32.exe
1048	Okfgfl32.exe
1048	Okfgfl32.exe
2920	Oappcfmb.exe
2920	Oappcfmb.exe
768	Odoloalf.exe
768	Odoloalf.exe
3040	Pkidlk32.exe
3040	Pkidlk32.exe
1256	Pmjqcc32.exe
1256	Pmjqcc32.exe
2232	Pcdipnqn.exe
2232	Pcdipnqn.exe
1312	Pjnamh32.exe
1312	Pjnamh32.exe
1928	Pqhijbog.exe
1928	Pqhijbog.exe
1948	Pjpnbg32.exe
1948	Pjpnbg32.exe
2120	Pmojocel.exe
2120	Pmojocel.exe
1588	Pbkbgjcc.exe
1588	Pbkbgjcc.exe
2384	Pjbjhgde.exe
2384	Pjbjhgde.exe
1632	Pckoam32.exe
1632	Pckoam32.exe
2500	Pbnoliap.exe
2500	Pbnoliap.exe
2276	Pihgic32.exe
2276	Pihgic32.exe
1744	Pndpajgd.exe
1744	Pndpajgd.exe
884	Qeohnd32.exe
884	Qeohnd32.exe
2036	Qgmdjp32.exe
2036	Qgmdjp32.exe
2840	Qgoapp32.exe
2840	Qgoapp32.exe
2804	Qkkmqnck.exe
2804	Qkkmqnck.exe
2632	Abeemhkh.exe
2632	Abeemhkh.exe
2668	Acfaeq32.exe
2668	Acfaeq32.exe
320	Aganeoip.exe
320	Aganeoip.exe
1492	Ajpjakhc.exe
1492	Ajpjakhc.exe
2272	Aeenochi.exe
2272	Aeenochi.exe
2596	Achojp32.exe
2596	Achojp32.exe
2460	Amqccfed.exe
2460	Amqccfed.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqjfjb32.dll	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Eebghjja.dll	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Oappcfmb.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Oqacic32.exe
File created	C:\Windows\SysWOW64\Jhpjaq32.dll	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Oalfhf32.exe	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Naaffn32.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Oalfhf32.exe	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pqhijbog.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	1532	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoloalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalfhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qgmdjp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2908	2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe	30
PID 2300 wrote to memory of 2908	2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe	30
PID 2300 wrote to memory of 2908	2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe	30
PID 2300 wrote to memory of 2908	2300	149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe	30
PID 2908 wrote to memory of 2752	2908	Oalfhf32.exe	31
PID 2908 wrote to memory of 2752	2908	Oalfhf32.exe	31
PID 2908 wrote to memory of 2752	2908	Oalfhf32.exe	31
PID 2908 wrote to memory of 2752	2908	Oalfhf32.exe	31
PID 2752 wrote to memory of 2648	2752	Odjbdb32.exe	32
PID 2752 wrote to memory of 2648	2752	Odjbdb32.exe	32
PID 2752 wrote to memory of 2648	2752	Odjbdb32.exe	32
PID 2752 wrote to memory of 2648	2752	Odjbdb32.exe	32
PID 2648 wrote to memory of 2244	2648	Onbgmg32.exe	33
PID 2648 wrote to memory of 2244	2648	Onbgmg32.exe	33
PID 2648 wrote to memory of 2244	2648	Onbgmg32.exe	33
PID 2648 wrote to memory of 2244	2648	Onbgmg32.exe	33
PID 2244 wrote to memory of 1048	2244	Oqacic32.exe	34
PID 2244 wrote to memory of 1048	2244	Oqacic32.exe	34
PID 2244 wrote to memory of 1048	2244	Oqacic32.exe	34
PID 2244 wrote to memory of 1048	2244	Oqacic32.exe	34
PID 1048 wrote to memory of 2920	1048	Okfgfl32.exe	35
PID 1048 wrote to memory of 2920	1048	Okfgfl32.exe	35
PID 1048 wrote to memory of 2920	1048	Okfgfl32.exe	35
PID 1048 wrote to memory of 2920	1048	Okfgfl32.exe	35
PID 2920 wrote to memory of 768	2920	Oappcfmb.exe	36
PID 2920 wrote to memory of 768	2920	Oappcfmb.exe	36
PID 2920 wrote to memory of 768	2920	Oappcfmb.exe	36
PID 2920 wrote to memory of 768	2920	Oappcfmb.exe	36
PID 768 wrote to memory of 3040	768	Odoloalf.exe	37
PID 768 wrote to memory of 3040	768	Odoloalf.exe	37
PID 768 wrote to memory of 3040	768	Odoloalf.exe	37
PID 768 wrote to memory of 3040	768	Odoloalf.exe	37
PID 3040 wrote to memory of 1256	3040	Pkidlk32.exe	38
PID 3040 wrote to memory of 1256	3040	Pkidlk32.exe	38
PID 3040 wrote to memory of 1256	3040	Pkidlk32.exe	38
PID 3040 wrote to memory of 1256	3040	Pkidlk32.exe	38
PID 1256 wrote to memory of 2232	1256	Pmjqcc32.exe	39
PID 1256 wrote to memory of 2232	1256	Pmjqcc32.exe	39
PID 1256 wrote to memory of 2232	1256	Pmjqcc32.exe	39
PID 1256 wrote to memory of 2232	1256	Pmjqcc32.exe	39
PID 2232 wrote to memory of 1312	2232	Pcdipnqn.exe	40
PID 2232 wrote to memory of 1312	2232	Pcdipnqn.exe	40
PID 2232 wrote to memory of 1312	2232	Pcdipnqn.exe	40
PID 2232 wrote to memory of 1312	2232	Pcdipnqn.exe	40
PID 1312 wrote to memory of 1928	1312	Pjnamh32.exe	41
PID 1312 wrote to memory of 1928	1312	Pjnamh32.exe	41
PID 1312 wrote to memory of 1928	1312	Pjnamh32.exe	41
PID 1312 wrote to memory of 1928	1312	Pjnamh32.exe	41
PID 1928 wrote to memory of 1948	1928	Pqhijbog.exe	42
PID 1928 wrote to memory of 1948	1928	Pqhijbog.exe	42
PID 1928 wrote to memory of 1948	1928	Pqhijbog.exe	42
PID 1928 wrote to memory of 1948	1928	Pqhijbog.exe	42
PID 1948 wrote to memory of 2120	1948	Pjpnbg32.exe	43
PID 1948 wrote to memory of 2120	1948	Pjpnbg32.exe	43
PID 1948 wrote to memory of 2120	1948	Pjpnbg32.exe	43
PID 1948 wrote to memory of 2120	1948	Pjpnbg32.exe	43
PID 2120 wrote to memory of 1588	2120	Pmojocel.exe	44
PID 2120 wrote to memory of 1588	2120	Pmojocel.exe	44
PID 2120 wrote to memory of 1588	2120	Pmojocel.exe	44
PID 2120 wrote to memory of 1588	2120	Pmojocel.exe	44
PID 1588 wrote to memory of 2384	1588	Pbkbgjcc.exe	45
PID 1588 wrote to memory of 2384	1588	Pbkbgjcc.exe	45
PID 1588 wrote to memory of 2384	1588	Pbkbgjcc.exe	45
PID 1588 wrote to memory of 2384	1588	Pbkbgjcc.exe	45

C:\Users\Admin\AppData\Local\Temp\149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe
"C:\Users\Admin\AppData\Local\Temp\149467bcaec3a169748c16ed3f55c6ff4f71000366aa8e2ba5d0085c18f346bd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Oalfhf32.exe
  C:\Windows\system32\Oalfhf32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Odjbdb32.exe
    C:\Windows\system32\Odjbdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Onbgmg32.exe
      C:\Windows\system32\Onbgmg32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Oqacic32.exe
        
        C:\Windows\system32\Oqacic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        38⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        39⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2456
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 140
        79⤵
        Program crash
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
92KB

MD5
8517b690cfbaecc424acaeaf11cb28a1

SHA1
78c72311f7a90fb04008b84161897aca1424e777

SHA256
dac6aab73a94f7e60454fca161ee35db43862f6f6fd76e1d45b7edb3f8575bf5

SHA512
b172ec75532a44eec3febbbfe397f6d03674aacf6b60330557df43c5d808d0f1fdc361b55c3a8b2fe9eaa82ff75576eccabf9d2f778c9cc14bfa927a7484cfc7

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
92KB

MD5
f2d6fa489dcba447ce4b1ffff65d01b7

SHA1
84be49e48393cf17534e8cf84708e8ede3e529ee

SHA256
680ab11c103ee00f834ce6ebb0190cf51d3abb670bf778c4576ac6a3e61eb8e2

SHA512
501c4ae2c0b39029cec47d32ca41d30544d655b15df9a880a3908c6781427dbe5d5696c9a0d44e28ea95db2243a1497c604a5d7f24ac8ba13f0cedd477e00d1a

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
92KB

MD5
1ebea64a3ac4977319aa28d7f159c658

SHA1
5b801df5e0874053c11e858089198045894f17fd

SHA256
419f2b8a45509b40562303c1c36c399d0f19d0980c9b68d46f56875feed6fec8

SHA512
3c820c8d161ca920482bef460db86e1e736905dc1c762a8515352dd89a48d0bbf45e08a0daa4a9f0eeeff45d8a5b85f39a6d6c82b42f32f0b8438c4b39c428b1

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
92KB

MD5
cc83a3fb102b0302db9b9bbedca5a7f9

SHA1
ba2c6890b529722a7e69d4f34d408d9530a2bd44

SHA256
6161f4115fe4ac557130e8756d7ac752750ff985e408b77372fb775e3c4435ff

SHA512
f23e1c20f7e6af0cae4914e883c251730ad621f60d71d78673fa3c3775862512050e0004f581fe665b11a0d5462d97bfbfff6a98a7a7fbed966492b1587c2e31

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
92KB

MD5
33c36c1092c6af48d1eed111f178daa9

SHA1
c5e516f5a3cac0dd9848529feef90bd82457abcf

SHA256
dc73b85bbff79cd5b3bb323ad5cb0f4c12af01015ba42018e7b68a644ffbfb7b

SHA512
24345e8f04a13efd0a725ff3ec3435334b0a02c58f7a687fd9fa90936cd3f4b7552b9a58a2936b090b39fd514890fb3715792095b65527b97e149f92620788eb

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
92KB

MD5
a07d78bebe1260b4545fb4e67cd30bd6

SHA1
6624271966207772e8869bb5df4c2e8e527cf777

SHA256
291822f39e550c537524c8f79bf4d952e2c2200e08ab6e43e50d78d49575664e

SHA512
bdc80247956ded3b32b3483381f6140abe97b9ee620afdb8aa2373bd8f5abff39d1f1bec491e815e79015996fe1f113a7d171adbf2fc83e2ec17d382c20d3d1f

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
92KB

MD5
8417cdea7002baae1e257fa7dd4f9429

SHA1
6e60be9db4b2c8abae30eb2f84a1d7328c9f470f

SHA256
8937ad9abb769275c394332191c1bb8b6b9b0ff4c8414ae6033539f281a70541

SHA512
c8549c949604919f321aa7fce10fccb7465910c0bc87deaca09ede2b54fbdcbda14ae9d7b8de1adfd6e03d4eccc0f2df521304b04f1aecc7ffb4323b773f088f

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
92KB

MD5
021e74107294d2e13da68d8833597dca

SHA1
31d22bfc810f8d4083b1b68355ffabcffb6b170d

SHA256
50a07b3cdb13dba7129adc5adaac3d9fc05c099be778b263aec925a3682c62f0

SHA512
abb9a85bd025f37daf1c08bc13922793fd02da711908f83e2fe6e6811efc1cd0816669eeb196a9867336121839608424761047aaf0b0666d2646dd69fdcf4f2d

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
92KB

MD5
67eb13fbfd1c3ae31a7ba4a26a0098e8

SHA1
c34351bb0cd81797461d6ee8a1ca74586e307493

SHA256
296b0017def8733e37242e7430351e204bf7b15d3f72c5b4208fd1871569b1e1

SHA512
3e538b7ae8922db7e8ea2628a71fe3947a8f5570ea47abab9b135f5c42d499c886858262185e7488c1beb5bff9bc52bbd286af11d242c8c38954ba6045c71ef5

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
92KB

MD5
873c450c2ba80530b53c7758dc38cac9

SHA1
482a9ed3ee19c03d147c3f5131dec9bf81e61b40

SHA256
a63410028b19b0a0fb3f8f2ed7098356b0cb88c7d6433f866ab46b33cf3f0842

SHA512
85e19704b4cef17496052fea1b6acaf13a03429ac469f8bef2c3f48015c7ab9c6f626f34c399e3821f8b6d4aba1d1984631bb352661b2ea9561eaa98e57fe0c5

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
92KB

MD5
80efcc40e7eb27a23e1265ab14d0c4b3

SHA1
5e23545d69cda1b5ce0634dd3d3aa7c011c560f3

SHA256
5f6bafa8458359a967f14ce11e6b0da706c056607350edbea56a721640ba50c0

SHA512
82166d02f1acf9715c66135b6b6d755cc1a48dd67fdebab1c119d364bb9300ebc2e1b48e042b3efbb918c5da6f3a50454052f999235eb577ca8a150fda2a2d91

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
92KB

MD5
49595f05d9c87847a5662f0731cf4cca

SHA1
082145d52cd9c7a09a1035417c4fefc99910e79f

SHA256
01e4ab5e48339c192b80a1d99cfd812fe747099dc21180a67bdbd68070d4bf7d

SHA512
9694e711adf1416172958f41bc10824f23da6498993f79f683d9dddaffd15c97dfcfe9498c1a961ec5954f07388569a4e29afb2767be57425231391b9066a3b5

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
92KB

MD5
273ad24f2458545e9470262b12553858

SHA1
567bcdf7c2a82888998226a47da7c93f0204289d

SHA256
2db72c81c2d2cb76353107099baca9cf43de05c32f2df0c90659fc47d808ffdb

SHA512
0ba031252f40de150a9acfdc731970049f18edb99fbb054ee2e5566ef543db8583f3431f9d3b094369d063d92c456a067c588d1c4f4fb1f147f646eca70ac4d4

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
92KB

MD5
565485260047f7c114182a88c1a64a64

SHA1
3011ee447a91e3ba6230166559dc17854a9a25db

SHA256
235f20707441860fcf33e13b0869b4d23391a7b32ad9f6cb571d18982432267d

SHA512
ddb20edecaf43b94669c95e5c5e351535051772c3cda2b58b3ad082bbfe0e59fba68a0db55f30947c08a12bde38f23b485dac8f12327dc3643b1414c7a917b62

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
92KB

MD5
89d7d4f8b9abcb1d65fef1b670c5d970

SHA1
7324ad44563872ee73bae962978b9abadf516fb2

SHA256
cf404f9ce25ce55ccfdea9b63a18f24a8b6994b3aa27c619da718d6fc72f42ba

SHA512
8be1b0be5eacf8b55916af1314e51f64568039345ab2efd55fdb77b07dc9113f050fb4a4c6a4437bfd37c1d4349b983575797e38b2258b145f22234678299bba

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
92KB

MD5
4023e1df9189286dabe83863d7d0af5d

SHA1
1d745a35c07106f5586bcf1b55b7e022dcc7dab1

SHA256
2209eec1574ada82e2ed662bc300f5e6e7d26df7409eda6d00780e1cffa9841a

SHA512
6117dbf34a7351c7034b0936eb9ccbfde39b4ae5493c504b5e785130deeea49a4af02ca2eabdedc3a649a07b964ba2467de63354eb4068c23de68230f15fd6e7

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
92KB

MD5
f9c42203bd484b7b34cd7ea904c0e2b3

SHA1
18577d76be188c0c58cc46d351b57bdb45326ec1

SHA256
9e036327471006b93b7cf3df7706983f035005f0f194373ae2ed9d37b5b8ae6d

SHA512
6b75bc990e9359b8c24f4057a77c9ddedd95966237678704edf0754c47da53b1336e9430539f131239f0e9c1f37d56d2afd01f260cf9903f0557049972b65d4f

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
92KB

MD5
9fc6585b92cd549c516651c96a27c1c7

SHA1
0d19f73140b640a5a20c95450425539b828c09d3

SHA256
bb3f2bcfecf76d8cf1e65f99523de883721afa20ebb85b475f62d8b049bd5045

SHA512
7486b238f227ccb0294ee486e03051d6c6042b19d01b90c0d5225359de9b7caf5a08056030c15b119c170f18529d50f92f58bc08785f28a871408205529f54f7

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
92KB

MD5
4f5d508c7d2a75f829e366b13f6d68b6

SHA1
fd99a2590e055f5ac5500e246e45f92d4e7dafd1

SHA256
7f7bb9f4fc3587c2f5d9be897a41439f8cf77feb51b3a6107c7f02beb6edac56

SHA512
ee1e994559faf97771dc932f218638b6a5aa9c127ed411ddb3e96181ab7ed50d34d37cd123aff34496c4f01a4ae4d49725b565afa20e29f7c4eac32c672320b1

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
92KB

MD5
5150ae5cf69ef1c2d8b3799eea3c5b25

SHA1
838451da937790be99fc19a484dc5112fd5964a3

SHA256
f3a503174aeaa0c3f2da9ee5d165b29849d35b13d30e8ca065155b0f4d7b287d

SHA512
df223f4348dad75084a989b749bd77c023331d5db116386de946596a6a0080860c2bc24223f056840a7720b0e29ddc549fc7ab5816645eb7ad2c546d05c06a01

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
92KB

MD5
ca5e862b05ad8b7d6658054f24bedf6f

SHA1
64bb3f1a0d9a9d333570152844937c042467d0f8

SHA256
12d238c432f472def9542cef998b511b510a70262a81daadc22ffc9c36c14a3f

SHA512
e4f95572569c541be2bc86bc9c222de930e73df742792fdb86c1a40e9ea3ea387bb31152462a8ce571d56568d13a5896669a51f51de784e51784d9a83fd5ea47

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
92KB

MD5
ffe373e7a60b5a000f07659be2dac49d

SHA1
1f8423cfd7d06966bf0bb41ac195655ec75e0bd6

SHA256
b43cc26297d7681b341e8b61339de14b88672eceef4e593a0ed8698c63fb0531

SHA512
4796562cd92609739acae9cfefdf4286d059b153b2f478ae8ae0a46a243af519511ced09a8b24b008b11e7bd8acdca02f930a463cb8e1e9eef1adc475e335c83

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
92KB

MD5
b225f4e22f15c34d272f11cfaae3de6b

SHA1
9c5ddc174359f6b7323bb70237000063bdf42c0b

SHA256
b4f4443fb0acc8098d12c87976af88ff03774dde14c8fc6c9a46c2b5a29f7b30

SHA512
82195a3edcf6b25f4cfa18c2ef5d66ec6684be53acbe069788512af8f86b848daf8c572a11cb7a248d190561d820c17f46749ee588b0a4cfe7b97fb95eef9693

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
92KB

MD5
3ca3fa6c391db0e81e0220d67b4e6618

SHA1
5ef97d8492efb740005a94d373907c39e67f4ca9

SHA256
4cc3c424a21bca15925f77a0a6739f328a1e619f62726edee83f86370cc8dbe6

SHA512
db5ce66ff28c433c187230305db1cdfce03a43603845fb3565a8b4aae4095641292ad191a58e8f05f004e05c056ab6d552ce0daf451e22df8c2fb264c59411a7

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
92KB

MD5
e755e60474949715220155f2190ff400

SHA1
4497fb4516e1dc9880b259ae5fd568beadd6156c

SHA256
69ab11997474079a7eb70aa014ea51cab7991432df3c52b2a3be021df1bc1eab

SHA512
e4fd7615f2c600a6271519b4d4d9778dd692fa7dade758aef1482d995f09172cce4286e31f4555f9567eb2a3b18adf5a04771006768efd0ce4bba5fae59f5c3e

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
92KB

MD5
25d83a3623b3b8a32d1076b73b9cb652

SHA1
30fda53dbee16ca28a1f5c725dc28e06c544b732

SHA256
1c5db16e4a1e223982d6f3da55e938a85309572461da3a7fe4c3cde7cabf601b

SHA512
c1d4ce9c068d47c279215aea00e8d19bd207c9446bf10fba5c1c40950d80a759242a116fad9eba14b35f6fe6fc2ce2a6ac02a7a17338664bfeaa45bcc4c17043

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
92KB

MD5
35818a00c127151613d96605c76a0b88

SHA1
f4d7e156f6d57919480ec88a058f794578ad0fd2

SHA256
0f757fd595f7e478277e87b2c5a37cb293f9816e2c1c65794982305405034bc7

SHA512
22880cfa6fd28d385aad32ea4cb39930b48545212e880f3dc3494aff039499aa04516338507e54becb4e692ffb8ddc9bb7f6e4403d1d8b78ab64fbc1c386cde4

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
92KB

MD5
9ab786193a3a9c58c692ecd11defe59f

SHA1
94e811d8bebe112fc0f7e623c4c379801ab3a62e

SHA256
8dd221bd553acbb69fc2c7265197e8301fb925c1960c9bcefb5dd3c00e5b687a

SHA512
2ad6560f565cb429c7d35d7aa9c519e7c460ee71ac70b6833d0e2cb1811c30eb2bc068ea2d43f01b4afc4b392014cf2716be3d9339685bdff86860bddeb68422

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
92KB

MD5
264de5e12f7cf5efcd2437adb983567e

SHA1
fc5b18bd8e38102810cbf7c9fcf76d6f8546e7fb

SHA256
23cbdaf540016792deb2b05535b796d3ee1496b8ce812faa765ba7190077b21e

SHA512
eda5cb115202854b384e2c001c32637ca3e7f0740565c739a0f5153ca6fb808d866a55799551e1bc053fada656577c3f1d015d671ed706e5e3d8488867b15e0c

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
92KB

MD5
3a8e6cb1cc50eab6c71f15f5bf0a1400

SHA1
33f928bee00ef4b301f67b586fbffb4d64ba6fce

SHA256
00ae8480e01c4112070427cb99bdfea31d7f44797f99e68e693f510d17c589ed

SHA512
529fd1cbcc033196ae22cf5b4c35fa1eb9538f4b4e6df40d0e869f0a18c3549c25a51b9e1fedc47bdfff50f4d5555fea1a715f99a62dcd97c2bf5b2a34a19644

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
92KB

MD5
013aa3f1c8a00586d2e74ffc6f20923e

SHA1
a74a558963de6ba2bf1ef14ca51932ab2c1d130f

SHA256
9e67a696c0f427da4eef057bcab6f6b32cb08029a48d2c89503ca9b1b45443cb

SHA512
05fb117ada99c52f9c20e7dcd95f943fe30b7748de7738d451910ceec6203fff723827497043c1c6e779eadb72e3b6e2ae0ccfbea94bdf460333d74dd8c3c1d5

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
92KB

MD5
78badd20bae191221efa3efe99ba1525

SHA1
f5e9b3fd16ad2a758b3498c378efadce0a6b669a

SHA256
543f36b0765848ed5e53b1811f6516f491b21b513390b691c2b1004c5f177506

SHA512
d58290f21fb8fff6fb44136ac195859ec9442d7ace3a903e1fe426331591ea8c0df0be708e037fa77cc52736f0a6e99e1c982cd874c092f148f0c9ddf465b478

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
92KB

MD5
637787a69ebc11e5da834fe508c340f6

SHA1
70ca83c3e66553e59aaf5aceb420df3844182ce7

SHA256
6b418d2578cd6dba3739846fa55a99fe79bdda44933c5ddc28e0cabc469ea5be

SHA512
adcc83860b84dbd8ffd4395e1b209e61cb8526f32db6b3653c6b70a072c9d2fb559329e5f3c9bf10691a9d7654489c1de8115c5967b83189670ab4f81f077a71

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
92KB

MD5
9a914fb62d57453c7007d147cc282aef

SHA1
53c26228625f927334ae21060eb34bc8c607ba2b

SHA256
a215cd10b6305ff8a30b921a7ae1c9da0ec23855aca81ae3c68071ea47184fdb

SHA512
a93d592b96cc1acb40ed70b52fff10d7a309d4bca6b6c0fac432f7f4ecc521c8a3c2a653af2199815cdc5fafaa092cdf38eb619367e39b9423e76c36b510cba6

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
92KB

MD5
b3a00e1540ffea283e9fa4b08ed1a2b0

SHA1
e0000f6797ca4b7eb4d2949fa65b788c3187ba01

SHA256
ee7d28eeb68e68049f45d9e31631fb28a6e45e9439a4622d952c6c7378eecaf3

SHA512
2f4da7a53ae77dc204ed60c05243c22d92432a93ad398b1f0ee8f5bc39a7fa3ea669388adbeb447191816e861874f16dd9ed36444dbc987361b0c5ea4fe8cb35

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
92KB

MD5
1e44d4fd45d5c11dbe63305c241ad6ce

SHA1
813e0536c73975e3b24813535ca5826feed116fb

SHA256
48742877bf8de5e296fe3a16717ad3af52562a73999cbb1b768f8240bd9aaeba

SHA512
3eee8607be5fceb3cdf64b5d0c749f39d06e9b302897e5b76bc3c5484c555d769db0f32ae78ebac833a589b92392b41a3875c77d7980e587663fedd67a82e131

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
92KB

MD5
bd0e4585f305ede4e31cfa7b09fa3285

SHA1
14e9eb9819395fc16a42831a51883c1441d3c584

SHA256
f4286253673170e7b97b349f6c14d54b92376804f808074709097cbe54213593

SHA512
340d6c8480c5eeb5545814ab3c3f081ff0a062e031ae7fb347849b13bf33b48f26b79d017edf2eccec9b7c731523608fc81c84e89e3fdde90e4af6c4165af972

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
92KB

MD5
251551c55615fb8b24f30e34a28a839c

SHA1
25f627baf2f9ebf2f97c9ac71381be9a6c03cf93

SHA256
3ff84f667e27a017cb26b13dfad302f32d275e38b33a0afdde26505afb8a202d

SHA512
dd628d94ba9d9848f03659e67836d71c2b64ee046ad8205890dd905603b192c6bb0c1f9a05ab29622612cf5bd8e25f2ad2c3a206f05c12305495795939729675

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
92KB

MD5
926bb74276e145a8152c2ccebd26a0cf

SHA1
4b890665989c204129fb0d23799312e35f217b98

SHA256
ec4d39a07d5f3defb438b51c96f907d16f4f408e31d34f1c3c4be8e1be7ecf8e

SHA512
265d14ae43c930806a58cb8186ca70eb81a7508fc9e2be97103162fdbbb12d6f01e07db00df21f2a2011dc75cc5ddee59782555fb52108c433b7e137707b1ddc

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
92KB

MD5
218cef1973f11d5a211ba37bdea025a0

SHA1
0c7e220a2cfead1f332cea7593c152e4602b6830

SHA256
8c645a65fe62e73632a7d9974915a6d6843be77a5ccc7c2746cf7e18f6e21366

SHA512
68ef68a656893fd7fc4a1d6950a5bd441492f078dc629d34cd875653f9bb2fdfa1ad2b7fc43d1f41fedc600adcf03a392d259b7df1497e4ea17f398c88cc2b4b

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
92KB

MD5
eab80def13dd50ff323a218070aa5a87

SHA1
c319d0925353bc6b0d17bd4c809b52417642dceb

SHA256
88ff152db80aca06bb3deaa4ed15058f9ad9968b36270789b38275eb265b8f48

SHA512
912682afc2c105f53703edf6a835648eb3234874c577b10ec3583207475a591210fa8093be972700cda937681105dfb16bceea2b5b240ec9a9f7d14f2fd176ee

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
92KB

MD5
b2c084c12e1a899d43c2c9bf8e13a81e

SHA1
b6c863f4e1b57973e2486c747deb3abe80262253

SHA256
f2e61aae431091acc4790793407e8bb7e3e4afc9c9548fa71262705fc3ab1e3a

SHA512
dc7d8a6cc6705b913fcc3f23f9d8e01d357faf03ff907697812596127f910e1cd3c8f50221e3ca33c75018fa5b7eabd25f82275edf0c3afbe868283df04a5d78

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
92KB

MD5
e3a1ce8124549b7ccd686d4079e6d9d3

SHA1
f5e95b4e98711933cb970f4a706137ece3b1c37b

SHA256
d526b04dd51c30bd5e9e9a1ae99879bc021207400cf495d07dfccd671f9323e9

SHA512
6b70b80702d88fcb9d9dac31762c1d5e79031a7a99776337bc61ebc37207abe2fd080c4ab3a53d34d3e302500d1dd57af7b04f721116aabd4d72786c9a251f7f

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
92KB

MD5
e88d8af5574815e4b24ca96b336c6be5

SHA1
5784c07935015f8919a262cdcdf114b568c16eb2

SHA256
79121ba01386b8480a639deee6095d375c10027238c4f619be2138f454bc88eb

SHA512
e516e1e3019c10a3a1fd02df1e2d7290e3fa43308c759f8b8c12ad4bee7e805e0de25518a5b8ccd49533e73585f44df0a6d0d5bda42aa504feaf21010a804866

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
92KB

MD5
766ec8be5c3dff09434175fd67f60e18

SHA1
d9a320da19da81dffc7238dc23506bf3307d0885

SHA256
2336729ecd546260647d619380f8a2bc412884d06816da26b595b1acd3adc2e5

SHA512
9002630ac2861a44b40521d747eb6902c5a5719728cfc629f97413d5c04ad3833d35a4650474d2cac6510de80ea7100a6fb2a39d9444cf101f0e55eaba0ddb0b

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
92KB

MD5
a1d15663fb1fb137f9a10ec3eb795bd4

SHA1
04f1ec41649d91c15edcd025700fdc8d61c29689

SHA256
f6aec57239187c66bddb223e36cb078aec745b7cc5a4efce692fbf82b7e6067b

SHA512
1ede95efa20051c668997e095e3b71c0f03852b5297060cdd6f95ee3ebde85378359693c81ad650462c217d7e4808cae2fe875d49ab862c2dfd7aefb057aa276

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
92KB

MD5
be674b029d9272d5386711afced4209f

SHA1
1c6e0281a29dd551cbc64b07cc99de311daaca4e

SHA256
3748ff2edfb06d84f1d9fd85ede7f14b7f8b87dbfb061834a197135907285b4f

SHA512
3fc71df7f4e4054fe30b4df23a447bbe801b93e416a3bf07674f9130b11bd08b22406eba3c9e7b145435b5835a426178d21971f41e82b6bd14296e02fc07734b

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
92KB

MD5
146a44760e35591ca26e1ef7e65a0a00

SHA1
37490dc17803535afe88f7c87382d54dcd3c2aa6

SHA256
c4cc45c4ab4cdebee18638941871a53f4245a765a9859c30240704dc0adf72a5

SHA512
f9542bf7dd2dad106e4d7917884a9aad4f82a7245fca7537f413f56b43a409c8bcab41fd66839ddd010d1c047901d155f4b01fd8bc54dc72700bb3f527974a80

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
92KB

MD5
cb28a9c5e93540404846732df12fe4ab

SHA1
ddd292c8e6c222b50aadff6e802596c1dde1221f

SHA256
d0cc0751a6c07410a49bc0eed63b1bb6eb90946da7bf5265c94f14e17206587f

SHA512
cb090e1003e8cb3bc2aff97710baf11e787e5792e532051f6ed7c152dff079a12e368bfefec70e56d09f4d798962d34733aaa67d57f694c6a2fb59b88ad9fe91

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
92KB

MD5
c79162f9019c895c1f5cffec7af7e681

SHA1
5669758ee61d47f1de10b94f1c359a8bf4feff0f

SHA256
78d935f19a408e3b726a6dc43f509be3f2d981002cc8b41e94ce5ae6779739ee

SHA512
00b7724f81c65dd582442de0124d8b0d0eba5bf47241b84e15dcb9cb46a2add43a03b530a69065c4d7a90b7c2f21dc2b2215b31c0fbf312a2c070501263f3058

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
92KB

MD5
58290af75beed3377fa1338e132dd038

SHA1
80bd4b7e60de1ae4efcf26ed301e63d888848e5a

SHA256
6453930114b2b752a5a5547284e37e62b0d04a27038e59f6984a298c8e261223

SHA512
7f71b006d43d15d422794ddfc3c8bd6c081ba7460fca07b8902fc183701be012752fb304e04f1ea27389375e2fc51fec332df8a7084fc9c6e218e5292f168ed6

Download Submit
C:\Windows\SysWOW64\Oappcfmb.exe

Filesize
92KB

MD5
47995f49a912079c14299d7f0a45564e

SHA1
5679ad7685f2b2d661c6c85794e4f84816391c3a

SHA256
a65a24022da333c30711437466e54da97eec2bedc418280c6b827ce26ae8282e

SHA512
7ced018f271b4b53bb47baf0eaed708dc7c75b2f629d98d96b3f0113dd036d6810d100d1cfd211b4eb6e89c540b4a3918797fb9638b1f3c3c83864de126d0143

Download Submit
C:\Windows\SysWOW64\Odjbdb32.exe

Filesize
92KB

MD5
dfcb61ed1880799b200d6914c5190d3d

SHA1
dd8e3257097f2f9e9f08eab37704415283faf2dc

SHA256
25e2d5c84252d3ceb4938c94ba6be1e89e9195c015a3bdd16c7e95de50c344ae

SHA512
64ba604487bd0ca528f0e85dc5c889337d1651f69116d9d9d371559c9be8f573c9378ed125a40540d27227cd7dc19609f24fd962d87018425911ed035055ced5

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
92KB

MD5
c0fa0c515b92b68713036995be1246d2

SHA1
804840a5afb7e770b2943a7d0ddb7200d1bc2bf3

SHA256
318d471a0e681d64879fc58f3015eed6bf49a0fa07cd7bec388f89814134bfba

SHA512
a5c45e3ceddc49f7b003ef92b90839c26939b4e93f6bc669182e39103919009decf5797f24707fb3f6b5dbf39db85e012520e14b799782212452148a724e350e

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
92KB

MD5
bb2a941f1054e5d6963fe468d61cede0

SHA1
825ee20cc67a64a9ae6c194762dde054ede515fc

SHA256
dd05d4a522613baecdb8198f95b103d241a7ae8fed8481785eb506d259abaa7b

SHA512
741cd2b43a3bf053bd7b70e0de03cdabbb201334f2009e100d693ffb83bc22be24a8bad12cc7879502d29d1beeb102fb21b98e0b7f8101bdb9137305f85240af

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
92KB

MD5
ffb7c1a9775ee708e7d8d7971b67bde4

SHA1
d913ed59383da8077445caaccd4328adeb988933

SHA256
b7b03ddbe7036ab77c0993644800b4405442699607436fe29742c922ac764117

SHA512
c616b25076e12c3261cd3257c19c179c710980647cf4dc0b5d7edb5f6765b1398fe5a32f3e8b3bdd8849695787cb6fbb406881b688ff17f809b37b9c3d56b8d7

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
92KB

MD5
6fe082adf12f5a4fa4ff4f7b21cffaa8

SHA1
304e8d6968ab0daa57921280754bce31a5e90386

SHA256
dedd4ed630ad4a4f06131f29eee4c7e655f95b387a314293f0d92c331b3709e3

SHA512
f9bd5e63d1bf54338fdac57501b4312edce1bf7ec6f22521b8afbedde46884515a891390bcf7dc90597cd2b23b5da5b30df54db80bee23e51fc17e15961c2759

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
92KB

MD5
1c04b126d74ab9b11dcc5a112382a923

SHA1
26948f6a1cad5435002c9f0e0ceb6d9e22151ee1

SHA256
149ce8dd60c1d44d6a4d628a90f209ebffb80da20848b9385bdadf2b05d943aa

SHA512
581b86ea342fa13792954c80164e103006ec8200c5f05b49fbf1b0df73b6e1f1d9dc30ae1c8344b333837367b795cf8b363e1e529f96facabf30c2187c16e279

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
92KB

MD5
4d0d7823fdf73883204a7be1a362b505

SHA1
e9ce6a1f4c8a5622ea4ccc71e5d4dcb9b7627b9d

SHA256
3620c5fc41ccee0aa1519b303a85dc7f09b392317c7d5910b116823e8314aba7

SHA512
968131161b64cdd5b0612d50c0ff7bf7889c7fdd88d51d340a164fab91c2033fbfe9bcddb3220d795d57fb3d34313243ee6a24ebcc65f000583cf222700b1491

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
92KB

MD5
30a786de7e6d5c432051287ac3ea5c1e

SHA1
83f0cf868504042a4cb630e6c9c49ec531435a2a

SHA256
545f0f282433483fcee4e3609c32f5ba2df24e5741a1f6ddf0b30bb236680375

SHA512
d9990a0dc5c6780f5b455bab6cbbb3c7baa1bed61182fc5e97a7817b3c582eac3f8811a5242c9020b3e022ad054e0d409f6e5086e8f00ae82ce083debee8433e

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
92KB

MD5
13ad422cb41ced3baea5cfe5696f6ecd

SHA1
971a21a982ed9172b6f5ce9f53e09ad80222ae14

SHA256
f75dcfae2009b8e7a1815d9e0396147f400efaf1f01d78f970ee0e91816260b9

SHA512
463ab1d4efd6a00c9543a7c01b9a2ce1d0116f54b6cb70a26eb9ef23b7004271c56cb26267875a326fada22406300b17179dd8713714d7e65c437d4b64ded39c

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
92KB

MD5
ae9b2ff15a2918aabf3276c1959bcc82

SHA1
e6d854c837a93b6181b9583ebaefbbe15d889c4b

SHA256
26df5bd05c612b77ca2826cee337b40772b6deb6264487e66a23f0c7e01c1fc3

SHA512
2658c4105d79626badfe536ada3f633970222c307567e76637203f2f06bcc495d8c5d0ca81d7d4709b1ae5596b74328263fe6f22f49b101e9859ff253eca5ba4

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
92KB

MD5
13e4b4c774254f8746bff1c9660b7c84

SHA1
8702eda7d54136f15dbcfe474da61fc988be00ea

SHA256
2e43e882da38bd6104a5df9bdd25bf8923fd18117eeb56d29f2baa9b2605a8b9

SHA512
3e310d923c1f7f19e110bd16ab9dec0b0aae1e5d2c99fc800437d1c22a5f9ba0a8bcbfcd385d71c07b7e9de92ee1b7b4834d8fae0bcf406bc79796bdde070314

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
92KB

MD5
a7ac1dc55c8a8b158db0b2a5e0419251

SHA1
49c78cf33041be9b5619f68fa0db718da4ae8a82

SHA256
cd306b452864eb9f553c4caeaab2e892c57f5d760d6d196b8fbd185c4120a017

SHA512
df03425b9230d5e72463bde0fad90f136ee95dd286f6be3ed8d2deef27a14068a6c919661132924f6530a0c86325be078d7da09142901fff248abcc2d34bee3a

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
92KB

MD5
f1f4f2bfe4d3852176965468a8ccc906

SHA1
85dea84f35fde0e58258c71c972a51fc868863db

SHA256
0559386f336eebac21d5135c2737d68fe2568e0a2e59505c95ef28dea89c5f5a

SHA512
cff10a1ed046b220759e0f786a6023a2ef1d5eefcbdb44d05f0c677059ed34b370386a343eab38e2f095e36bc12d4df13aad0a47b21176ab7b29a46cc302d7bb

Download Submit
\Windows\SysWOW64\Oalfhf32.exe

Filesize
92KB

MD5
2ffd1c7fc126dc60dfac66f64eec2ddd

SHA1
284ec8724373714bb0673b4d5a26f043fe101423

SHA256
3353df076d35b3e801d897b1ee49c7f9c30e40b2c607ec22193a9f90db424801

SHA512
ccf78d3577769c6665d8dc6f2ded0decde1bfa23208ac8fd67487d3953ac62f6ae3fdaedacef7d9e630bc27aa0b137eb05d364122e0480b3603058b5c553701f

Download Submit
\Windows\SysWOW64\Odoloalf.exe

Filesize
92KB

MD5
0568951f21729fcea4c1499a1fcb897b

SHA1
6d01411cc9638991e00dbac2e2e6f5a8f000b678

SHA256
6242a16c6a98983d690bbf623dd70f92c7fea5df105f458894b49c289fdaad95

SHA512
8393f866a3b44189ba005d2555d765bd55699d5f1dae9673d869d976890890d05567834259582c121c3ab38ad41725abfba4fc7a26e3ff2078cfb1ee55879377

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
92KB

MD5
bc541d2d2aac87e36a9832daf277f375

SHA1
737e8aa7994a7edcb4be235f61ff6779fbf93fef

SHA256
81f6abc98b97c270ebf2b7b5dff811c5f35b191e5309136bb1fc6a548d0727e8

SHA512
89442aa3ba6e4ce80e21c8bb200c37ecbfcc56f1dd6f596c7194f143953d2af2f118700b5db2d954d583e2af08617e76f68ca1c8f1bb5444e04db08733e26328

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
92KB

MD5
aa747b14301cdb619292024a90d2fb28

SHA1
b3e8ba48382cac36ba7ac2a672b085cf051ecb4d

SHA256
ec457f57d323bff8ff846865d69c61295a2c98e76641f2fd507901d61dd5a6a2

SHA512
afe015ee29560de4a9adbb5c567bc0837c5e3730c6c70d5a854cdde0cb7c84370b61a761c404550303ac6cf90581c0768d110510f96936478980c2c60059d4b3

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
92KB

MD5
5ff818a8a7f3d6e0b075d922a1c2a45d

SHA1
00acebe5ccead20381cbd1934673b633f207960d

SHA256
2ff18033216c41cb90dde18773a33556e76bb02ede3b74031d6d19c738a15dcf

SHA512
648344bf622ec817c4ca0c6656f497b087a736de0106fe0de0265de9e5cda6d863a2f8f07b303f37401f1e4fef6e0f9e86a4364e9acb65818c66f95db1b28d86

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
92KB

MD5
dae494d618620c45167800bcc98e8a52

SHA1
3b2d82e9848a4822f7b4bb04bd6e12e010831782

SHA256
94949e737d480e8e1b04353f372604b913db4b5f6659e9216ca8c4fb76394262

SHA512
ffe7170231ac19d65f779ac79cda6d7626b3540f227d945efae823868fd0c1dcb3a7cabc22dc4fe62eb8de8f1110327bf23198dc06254014438b4052db83f2e4

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
92KB

MD5
e3ee3426425b2042766287671b8b4b0d

SHA1
bad5bf0c55ee106e474b31b9d883c1f8dd03b5ba

SHA256
e7bbba8bd0224bb7a4da1de88386fee30e2ab42bcd049e307017283b369a48df

SHA512
f113e442138caa4a6bada3ced8dd088dd0db4de8270e6dd6f12dfe02109551f29ee6332c98e352230b78f7e16a110b167686559a97844f44b7e45cd86f2f72c1

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
92KB

MD5
f7109ff7083cdc601dd793f6db368955

SHA1
e642ebdcb4db455491788a409109c9fadded3fad

SHA256
aafeaf9f85ef955a5202fbfc79b5ede16fd4b73ca5b47c32a0a6ec6a670dddb7

SHA512
3ed424bbf7f4c34627953a3c7904681cd2b47f9f940137f3136f3b18802b047ed4baff0ce375e6292d1b4063e31fdbfd263d5d167b6a3fe6c644861a2387af95

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
92KB

MD5
622ee99f77c42d62b175134af37c9e74

SHA1
56bc576d7af3f62591d25f17098abe9e69f80a90

SHA256
7fce0fa0c92c0ff25d56d4ac70cad6cd20ec09f10dc4111b7a46da0038638fd5

SHA512
427ed4928bd32a86a2e3456887906713b8c636d8566e34ff91bdb0a887fb2e19a60a708f12019479059698bf9d86aca30e4a45c858975edcb79db8973098cf40

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
92KB

MD5
220f99fcaf570cd44d9817495823e9a9

SHA1
6886e4cf60ea6255453268d9a8be13607b5f43f3

SHA256
a67edaae1eff4555de51ef14a00ae2a0286a9dc1763075c56f183edfe5e1bc94

SHA512
c02ac900192bef5f1dea011668ea22028af9e2b6669dc4ab3f89f0f17215d9f7d27ff574517b8c9f23f74dc5db10fc6d04e2bec1c0842eeff68618eee9b1f4c5

Download Submit
memory/316-409-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/316-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/316-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/320-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/320-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-109-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/884-297-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/884-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-138-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1256-131-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1312-215-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1312-218-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1312-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-169-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1312-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-369-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1492-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1632-251-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1744-286-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1744-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1744-287-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1856-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-449-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1928-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-232-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1928-179-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1948-244-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1948-199-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1948-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-213-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2120-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-147-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2244-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-60-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2272-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-377-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2276-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-271-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2276-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-11-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2300-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-243-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2384-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-429-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2480-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-264-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2500-300-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2500-299-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2500-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-460-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2596-389-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2596-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-381-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2632-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2648-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-419-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2712-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-453-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2752-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-33-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2804-328-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2804-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-321-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2908-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-94-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2920-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-146-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2920-93-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2920-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-178-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3040-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-118-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads