berbew | 79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
Size

163KB
MD5

ec4b1f9eac2a256fb532565cc85f19f4
SHA1

334616355c7887d9f8ec22b239257390ae6cc56a
SHA256

79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70
SHA512

c3953054d2233e94d844a33158934cb834f8df24ed6c2102a3973ecef933b250e131c87c4b3978090ef5dfa9241f8e35e7054d12a512da4b2c7745899ea67972
SSDEEP

1536:PWubh3aMCZzRYoCo4f6SvLEmwm/CY+slProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:+AhjCZzRYoOLEm85sltOrWKDBr+yJb

Score

10^/10

berbew bruteratel gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bnkgeg32.exeBanllbdn.exeDanecp32.exeDddhpjof.exePcppfaka.exeQjoankoi.exeAadifclh.exeCaebma32.exeCdfkolkf.exeDogogcpo.exeAjfhnjhq.exeAmgapeea.exeBnmcjg32.exeBjmnoi32.exeDfiafg32.exeBganhm32.exeBfhhoi32.exeCmlcbbcj.exeDgbdlf32.exe79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exeAgeolo32.exeQceiaa32.exeQqijje32.exeCenahpha.exeCnkplejl.exeDopigd32.exePqdqof32.exeBffkij32.exeCfpnph32.exeCnffqf32.exeCajlhqjp.exePjjhbl32.exeAnogiicl.exeAeklkchg.exeCndikf32.exeDmefhako.exeAeiofcji.exeBeeoaapl.exeBmngqdpj.exeCegdnopg.exeDkifae32.exeCdhhdlid.exeAdgbpc32.exeCagobalc.exeCffdpghg.exeDaconoae.exePdpmpdbd.exeAjkaii32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cb6-420.dat	family_bruteratel

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Pcppfaka.exePjjhbl32.exePqdqof32.exePdpmpdbd.exeQnhahj32.exeQceiaa32.exeQjoankoi.exeQqijje32.exeQffbbldm.exeAnmjcieo.exeAdgbpc32.exeAgeolo32.exeAnogiicl.exeAeiofcji.exeAjfhnjhq.exeAeklkchg.exeAgjhgngj.exeAmgapeea.exeAcqimo32.exeAjkaii32.exeAadifclh.exeAccfbokl.exeBjmnoi32.exeBagflcje.exeBganhm32.exeBnkgeg32.exeBmngqdpj.exeBeeoaapl.exeBffkij32.exeBnmcjg32.exeBeglgani.exeBfhhoi32.exeBanllbdn.exeBclhhnca.exeBmemac32.exeChjaol32.exeCndikf32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCmiflbel.exeCaebma32.exeChokikeb.exeCmlcbbcj.exeCagobalc.exeCdfkolkf.exeCfdhkhjj.exeCnkplejl.exeCajlhqjp.exeCdhhdlid.exeCffdpghg.exeCmqmma32.exeCegdnopg.exeDfiafg32.exeDopigd32.exeDanecp32.exeDhhnpjmh.exeDmefhako.exeDdonekbl.exeDkifae32.exeDaconoae.exeDdakjkqi.exeDhmgki32.exeDogogcpo.exe

pid	Process
3536	Pcppfaka.exe
1504	Pjjhbl32.exe
4616	Pqdqof32.exe
4216	Pdpmpdbd.exe
828	Qnhahj32.exe
4428	Qceiaa32.exe
816	Qjoankoi.exe
3488	Qqijje32.exe
5036	Qffbbldm.exe
1684	Anmjcieo.exe
452	Adgbpc32.exe
1976	Ageolo32.exe
3272	Anogiicl.exe
1364	Aeiofcji.exe
4724	Ajfhnjhq.exe
2388	Aeklkchg.exe
1560	Agjhgngj.exe
4548	Amgapeea.exe
3480	Acqimo32.exe
4088	Ajkaii32.exe
5016	Aadifclh.exe
1608	Accfbokl.exe
4620	Bjmnoi32.exe
4660	Bagflcje.exe
3728	Bganhm32.exe
1856	Bnkgeg32.exe
2356	Bmngqdpj.exe
3520	Beeoaapl.exe
4540	Bffkij32.exe
3568	Bnmcjg32.exe
4256	Beglgani.exe
2084	Bfhhoi32.exe
4252	Banllbdn.exe
2852	Bclhhnca.exe
212	Bmemac32.exe
3332	Chjaol32.exe
404	Cndikf32.exe
920	Cenahpha.exe
4976	Cfpnph32.exe
4676	Cnffqf32.exe
1640	Cmiflbel.exe
2328	Caebma32.exe
8	Chokikeb.exe
4012	Cmlcbbcj.exe
1664	Cagobalc.exe
820	Cdfkolkf.exe
2132	Cfdhkhjj.exe
4436	Cnkplejl.exe
4300	Cajlhqjp.exe
440	Cdhhdlid.exe
1824	Cffdpghg.exe
1904	Cmqmma32.exe
3824	Cegdnopg.exe
2240	Dfiafg32.exe
4752	Dopigd32.exe
4716	Danecp32.exe
1940	Dhhnpjmh.exe
3716	Dmefhako.exe
532	Ddonekbl.exe
4432	Dkifae32.exe
4584	Daconoae.exe
4224	Ddakjkqi.exe
808	Dhmgki32.exe
4588	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

Processes:

Amgapeea.exeAjkaii32.exeBnkgeg32.exeCmqmma32.exeDeagdn32.exeAnmjcieo.exeAgeolo32.exeAnogiicl.exeBagflcje.exeBffkij32.exeChjaol32.exeCaebma32.exeQqijje32.exeChokikeb.exeCffdpghg.exeQjoankoi.exeAeklkchg.exeAgjhgngj.exeBfhhoi32.exePjjhbl32.exeAeiofcji.exeBanllbdn.exeCagobalc.exeCnkplejl.exeQnhahj32.exeAccfbokl.exeCnffqf32.exeDmefhako.exeDdakjkqi.exeDddhpjof.exePqdqof32.exePdpmpdbd.exeBjmnoi32.exeBganhm32.exeCndikf32.exeCegdnopg.exeDhmgki32.exe79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exeCdhhdlid.exeCajlhqjp.exeDfiafg32.exeDkifae32.exeQceiaa32.exeAcqimo32.exeDhhnpjmh.exeAjfhnjhq.exeAdgbpc32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
552	3696	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cmqmma32.exeDgbdlf32.exePcppfaka.exeAgjhgngj.exeAmgapeea.exeBganhm32.exeAeklkchg.exeBnmcjg32.exeDfiafg32.exeDopigd32.exe79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exeAadifclh.exeCmiflbel.exeCmlcbbcj.exeBanllbdn.exeCagobalc.exeCffdpghg.exeDddhpjof.exeDaconoae.exeDmefhako.exeDhmgki32.exeQqijje32.exeBagflcje.exeCenahpha.exeCfpnph32.exeAjkaii32.exeBnkgeg32.exeBeglgani.exeDkifae32.exePjjhbl32.exeAcqimo32.exeCnkplejl.exeDmjocp32.exeDanecp32.exeDmllipeg.exeQceiaa32.exeBjmnoi32.exeCaebma32.exeCajlhqjp.exeCndikf32.exeChokikeb.exeCfdhkhjj.exeDhhnpjmh.exeCnffqf32.exeCdhhdlid.exePdpmpdbd.exeAdgbpc32.exeBffkij32.exeBmemac32.exeDdakjkqi.exeDogogcpo.exeBeeoaapl.exeCdfkolkf.exeQjoankoi.exeAeiofcji.exeAjfhnjhq.exeAccfbokl.exeBfhhoi32.exeDdonekbl.exePqdqof32.exeQffbbldm.exeAgeolo32.exeAnogiicl.exeDeagdn32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 64 IoCs

Processes:

Pcppfaka.exeAeklkchg.exeBeeoaapl.exeBffkij32.exeBnkgeg32.exeDfiafg32.exeDhhnpjmh.exeDmjocp32.exeDgbdlf32.exeQqijje32.exeDhmgki32.exeQnhahj32.exeCnffqf32.exeCnkplejl.exeAgeolo32.exeCajlhqjp.exe79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exeQffbbldm.exeBganhm32.exeBeglgani.exeAjfhnjhq.exeDogogcpo.exeBagflcje.exeCfpnph32.exeDeagdn32.exePqdqof32.exeAccfbokl.exeDdakjkqi.exeAmgapeea.exeCegdnopg.exeDopigd32.exeDanecp32.exeDaconoae.exeAnmjcieo.exeCmlcbbcj.exeCdfkolkf.exeCfdhkhjj.exeBanllbdn.exeBclhhnca.exeBjmnoi32.exeDdonekbl.exeAcqimo32.exeQjoankoi.exeBmemac32.exeCndikf32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exePcppfaka.exePjjhbl32.exePqdqof32.exePdpmpdbd.exeQnhahj32.exeQceiaa32.exeQjoankoi.exeQqijje32.exeQffbbldm.exeAnmjcieo.exeAdgbpc32.exeAgeolo32.exeAnogiicl.exeAeiofcji.exeAjfhnjhq.exeAeklkchg.exeAgjhgngj.exeAmgapeea.exeAcqimo32.exeAjkaii32.exeAadifclh.exe

description	pid	Process	procid_target
PID 4212 wrote to memory of 3536	4212	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe	84
PID 4212 wrote to memory of 3536	4212	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe	84
PID 4212 wrote to memory of 3536	4212	79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe	84
PID 3536 wrote to memory of 1504	3536	Pcppfaka.exe	85
PID 3536 wrote to memory of 1504	3536	Pcppfaka.exe	85
PID 3536 wrote to memory of 1504	3536	Pcppfaka.exe	85
PID 1504 wrote to memory of 4616	1504	Pjjhbl32.exe	86
PID 1504 wrote to memory of 4616	1504	Pjjhbl32.exe	86
PID 1504 wrote to memory of 4616	1504	Pjjhbl32.exe	86
PID 4616 wrote to memory of 4216	4616	Pqdqof32.exe	87
PID 4616 wrote to memory of 4216	4616	Pqdqof32.exe	87
PID 4616 wrote to memory of 4216	4616	Pqdqof32.exe	87
PID 4216 wrote to memory of 828	4216	Pdpmpdbd.exe	88
PID 4216 wrote to memory of 828	4216	Pdpmpdbd.exe	88
PID 4216 wrote to memory of 828	4216	Pdpmpdbd.exe	88
PID 828 wrote to memory of 4428	828	Qnhahj32.exe	89
PID 828 wrote to memory of 4428	828	Qnhahj32.exe	89
PID 828 wrote to memory of 4428	828	Qnhahj32.exe	89
PID 4428 wrote to memory of 816	4428	Qceiaa32.exe	90
PID 4428 wrote to memory of 816	4428	Qceiaa32.exe	90
PID 4428 wrote to memory of 816	4428	Qceiaa32.exe	90
PID 816 wrote to memory of 3488	816	Qjoankoi.exe	91
PID 816 wrote to memory of 3488	816	Qjoankoi.exe	91
PID 816 wrote to memory of 3488	816	Qjoankoi.exe	91
PID 3488 wrote to memory of 5036	3488	Qqijje32.exe	92
PID 3488 wrote to memory of 5036	3488	Qqijje32.exe	92
PID 3488 wrote to memory of 5036	3488	Qqijje32.exe	92
PID 5036 wrote to memory of 1684	5036	Qffbbldm.exe	93
PID 5036 wrote to memory of 1684	5036	Qffbbldm.exe	93
PID 5036 wrote to memory of 1684	5036	Qffbbldm.exe	93
PID 1684 wrote to memory of 452	1684	Anmjcieo.exe	95
PID 1684 wrote to memory of 452	1684	Anmjcieo.exe	95
PID 1684 wrote to memory of 452	1684	Anmjcieo.exe	95
PID 452 wrote to memory of 1976	452	Adgbpc32.exe	96
PID 452 wrote to memory of 1976	452	Adgbpc32.exe	96
PID 452 wrote to memory of 1976	452	Adgbpc32.exe	96
PID 1976 wrote to memory of 3272	1976	Ageolo32.exe	97
PID 1976 wrote to memory of 3272	1976	Ageolo32.exe	97
PID 1976 wrote to memory of 3272	1976	Ageolo32.exe	97
PID 3272 wrote to memory of 1364	3272	Anogiicl.exe	98
PID 3272 wrote to memory of 1364	3272	Anogiicl.exe	98
PID 3272 wrote to memory of 1364	3272	Anogiicl.exe	98
PID 1364 wrote to memory of 4724	1364	Aeiofcji.exe	99
PID 1364 wrote to memory of 4724	1364	Aeiofcji.exe	99
PID 1364 wrote to memory of 4724	1364	Aeiofcji.exe	99
PID 4724 wrote to memory of 2388	4724	Ajfhnjhq.exe	101
PID 4724 wrote to memory of 2388	4724	Ajfhnjhq.exe	101
PID 4724 wrote to memory of 2388	4724	Ajfhnjhq.exe	101
PID 2388 wrote to memory of 1560	2388	Aeklkchg.exe	102
PID 2388 wrote to memory of 1560	2388	Aeklkchg.exe	102
PID 2388 wrote to memory of 1560	2388	Aeklkchg.exe	102
PID 1560 wrote to memory of 4548	1560	Agjhgngj.exe	104
PID 1560 wrote to memory of 4548	1560	Agjhgngj.exe	104
PID 1560 wrote to memory of 4548	1560	Agjhgngj.exe	104
PID 4548 wrote to memory of 3480	4548	Amgapeea.exe	105
PID 4548 wrote to memory of 3480	4548	Amgapeea.exe	105
PID 4548 wrote to memory of 3480	4548	Amgapeea.exe	105
PID 3480 wrote to memory of 4088	3480	Acqimo32.exe	106
PID 3480 wrote to memory of 4088	3480	Acqimo32.exe	106
PID 3480 wrote to memory of 4088	3480	Acqimo32.exe	106
PID 4088 wrote to memory of 5016	4088	Ajkaii32.exe	107
PID 4088 wrote to memory of 5016	4088	Ajkaii32.exe	107
PID 4088 wrote to memory of 5016	4088	Ajkaii32.exe	107
PID 5016 wrote to memory of 1608	5016	Aadifclh.exe	108

C:\Users\Admin\AppData\Local\Temp\79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe
"C:\Users\Admin\AppData\Local\Temp\79febf567050b11bef4aeaf6625b5cefcc1556a23ba2c7c423e910fac3332b70.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\Pcppfaka.exe
  C:\Windows\system32\Pcppfaka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\Pjjhbl32.exe
    C:\Windows\system32\Pjjhbl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\Pqdqof32.exe
      C:\Windows\system32\Pqdqof32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 396
        71⤵
        Program crash
        
        PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3696 -ip 3696
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
163KB

MD5
4ad29fb232e5dd949d4c4b40745a7ec8

SHA1
7e1e0bcaf134a7882e0664d94150f9200f39d886

SHA256
e20c805a608b203681bb7e6cab0e16197e3fbf081ba8b53d010b7affaa504d19

SHA512
01fac9d41e62a4482047986ad2497e0f2d1e6548fcb9407f08dee52a61b6b2dfa2bda17aba4e99ee96fc3b769940f4ec6e0107d337cc04d53a12e84bed456bf7

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
163KB

MD5
9ababf10931a959fb099d5a041fbf4fa

SHA1
d35465e79c22088d1aa34bbdbf512f04b94add27

SHA256
9a444571712fb1ea8fde54575399448f67b8ac184fd6bb2cfe6574cfbe75f7d1

SHA512
4e20af67a0993e214639460c1351075e6c0ec39736d3423a77412f99a8b79f98d1593c677bac9e9a1e3e71f45e85a377c1253b402d0c041cc0aae93f00c7da30

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
163KB

MD5
ca2a781d250fa60676a2559ab44065fd

SHA1
b53ddef4d623b2bf3aecd2451479ad3e6c3f27a5

SHA256
343d718d607963055f0054d031d7435ce03c7f035f4240bed5d17cb8331090f2

SHA512
8d219ac6484075bef2e61ff33bdeb7710f62c0d983f90a02fafca2b7be7dda67ce184fc601b4cf31bbae49f0db131a02b5da51accb1ff3a61d8a5fba1984f58c

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
163KB

MD5
56b2266d83d569530c00c82e94e8f121

SHA1
c9dab2bd6ca475f3c9816e1e38b71748f883c994

SHA256
7abe796f5f6d1bfab835b6e63c4c14ae07dd6e6b01df498e1c7352ad1d259e8a

SHA512
ec89ebae5b7b69f910a226cbf803dd0a81b7db9b0f717d90cd7117d53743256d16698e20130997da10b94132612f21aa4d3d993cbe38204bd7bacf6755b961a2

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
cd13ef7b5228db5c865ad51f82b1e2b4

SHA1
1492f595f24bb56e5f5a8f497ded25c58095486b

SHA256
8be31e846c99e69c66aa5b328b7d18efaca3778518a51c5fc9e1c74faadc00ec

SHA512
7d7b33fd50e3128ba081d3779fa8f70fe6057aacea548b9f8ffce87f432124e4a39808f07a1a0e37739634651ae103542157c4fd1ecba255f74cc3647d785f6f

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
163KB

MD5
b70dbb34da1b41d1abb1f2a2d852dfd1

SHA1
e7f9fa01f8aaaeb75954d949e67d73735ba11143

SHA256
aae78f2fb4937ecb812092bcc74f5055c6649a93986fe6c80ad0bcc91570b86b

SHA512
c4bd62ab052a574da47bc2feec0891bb0f4cb59d5c9a623e7a5cbaf86894a5de4a3fb672cb799b6135d0a4d2f51fc4ec4e6b19bb35ba44efda24a166e7d50648

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
163KB

MD5
323105d032b993e7fb773af60cb33e35

SHA1
881a0d003f24f58b7ec69756d9feedc0318548a0

SHA256
39f2d220f3c2619eddfe4147c47fa0f614ad54b5c55374bd82a6a6d8de18e4bb

SHA512
cf6b742155c808acad355ad8dd0037c584a625f9e7180c78547e54913f14874c746db980a829cfcc5c753be4478ca6f21c217bfa0152459e0254f9b584f8e1fe

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
163KB

MD5
8cc6f6e3fd5b6aea6e4e675cf41eaf3a

SHA1
7ea3a18534dd1f46b6e399fe51596e03e9cf06a0

SHA256
56f888ac69b7105b5cd33130210a8a77b155cd6b00aa9d987fd60900fe0876bf

SHA512
70c29a1c233d8781d5d5d644618709982fba5a9dc3189d5a1d1175a849c0f7a3fc7c2cd879ece30323cf7ec77d70fdffe2d640b750bc6f4757a46a78cfa87f21

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
163KB

MD5
d80387ca9f3b69edb6badd07ec1ac90e

SHA1
fdc2e2722c2786c7e3b610f3d1de0c8a25676973

SHA256
d6f9ceb56c0c50f424feb82a75c8ae2ba67d223638e7f21df66d2f179e12b777

SHA512
83327d90261c48789556d272783754d011608aa68b8943afbbbbfd21924725eb4a24011d02946fac1b84c47c90044590263d201eefeac1a3f1c689c542ef2dc4

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
163KB

MD5
5d9eabb42afccbbbe1c1010e7557fccc

SHA1
7714569ffa00cb4dfc45bb705b914c3721cf4cb0

SHA256
b07dc687a6315ae7c51a4dae1786ea9e73081db3480a48599434a1f5b8fc69f3

SHA512
7209b1d98bb2ce29784ae1aa985df01e2921eb7da2b838a7adfcd08b0f6b9ca087d4879b51608597c0049dc6c3fb849509681b92ae18fbfefe2042ff6034cc24

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
163KB

MD5
6b0bb9fc6400c1418d1f9a5d852b874a

SHA1
9a0ce2e3df27b05b2ba2cf22b7d7b0d8006a6bce

SHA256
3f5d88851948e6042cde82da55c004a3e1977991a6c04c44c9345a9173972e9f

SHA512
59dd81bc454cb41dca2e1f91835ebb19f5cf3bd70e14f63184c22bba266e1819b4ec65e1096f96e47478f9374fa721514f275025c2e471e7b4de3f0cb03c54da

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
163KB

MD5
ce0c1a0ea6b3c1d619c11ac8486990c2

SHA1
b15f3ca0bf52212c1d31aacc738bcc07c1106fca

SHA256
535e02d611129991c2cbebe698a22f8c68fd84fbd400dbede3c4a97989020b03

SHA512
3a64fd9f352dac87175e34a386c68a61e1cdfe916d229107e6fda59dd1305b59d1ba7a09b5f4ab85d58a59aaa2f3aa1c96eb5629c811e4799cf6ac75829dad06

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
163KB

MD5
cf1e3c1417f949022c29a76ea5edbaa5

SHA1
3868e1f6dbe82046280d286750610a3cad0cc003

SHA256
094c700f18cdb1ccd41ce89ffd81e4a76c58a5a8a9261cd160a368d61efacff5

SHA512
e833e35f580dcf23817225329a065cb5a135f3302fc708af5702dc20bf7311f2bcfba475fd41ae868cdff316a7ad627a3a939bbb1d5568b37aa41e907ad1315c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
163KB

MD5
f5a3f491e81941410d1ea01155b4da45

SHA1
5f9c5d076e8fa221c2accea38520617299e082c8

SHA256
761a327da72e172e5518b4b74a5b630d27185bb357c6314a621bff5428befda2

SHA512
0568b4fd9eb44e2929a3f557e069f2549d11669b404f5c327ec3eded1e7bc784cdfc62478fe002abc761765750060399bed3d3a4245cf2ba86987bb50611f316

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
163KB

MD5
d7c47b951ec0ec379da356e93950d644

SHA1
07f265c3b502ce017f7af34dc4e83182e7c99f4c

SHA256
c90753d0cef018ce06a5e997d846b6b012920de094f9eb1ea2add16df939ead7

SHA512
96e5df15f09562ef43b6f9cd404b9d7a1bdfb4af8ea28576bf0892a1b742ed53d42c55694b492b9bdf8ffc8d1aaf42e306c6332e6bf9a9752be30bda04d26704

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
163KB

MD5
999e0abfc5a4cf6c35c30c5b14d80b30

SHA1
baea66f20f2c36ad789606a40a2b4af05fe1000c

SHA256
8787ac64db59a9f399a27e221a6c90969c0b5381bf7ed8c83a7ca31f3400d05e

SHA512
66af05f40bdb445a3b8182861be2ff35ac4ff3d2272136c28198120ea99f3fc880a3cf70f038c21020f3cd4e21b31d2da7ea88921a794c8ba13583325de5cbb7

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
163KB

MD5
f4d2cadfac34156c79aa58026aa15b35

SHA1
df2732cfa35a59781bbc448221f384ccd26da721

SHA256
a8adcced61aa4b04620cdb1e29b45c516721d442523f3e7dd12e28c0f9aab965

SHA512
d7925dc762b9b7a29c458129345fec62a80b8725ebec6507ed4fad56555bdaab0f6d338121fa1df7b46b67bfe2710223f842c0c1ac427ace8a973aae4f265f5f

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
163KB

MD5
8ad3fd8fb3e542705c658f5cd5de6f0a

SHA1
9a123b27e909ae5055fa6446d22e307c6c405636

SHA256
1e18bdd2a0ca4ddfaa88565a18302932fe1940689ce345621dd808145788a8f9

SHA512
6147f9b763a5f07415cdeb4faf8e208403718654a866a22f8ebf06c1c5f4e0f7bf58db5d174137fc3b043dde183d49144236b6e8e5ab17dfd1031e6fe7333f18

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
6df4041887b3d43484fddb86cd8642fe

SHA1
22a26b7f71c15f4304b371208db51c969f936804

SHA256
d336c6c2e2c752d3073b69b74422a93a2342b2153f3ba4c7f9f43846251156a2

SHA512
c91a3a1100de5e314f6aefa5a089bd176e23e293f91be074265200634c3c31b3082338025bed334989abfbb9322700d33704cf9b99f8569dd5237c1259d7c412

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
163KB

MD5
4ddb9c26a530f67ae6ab4b96aaf6ab58

SHA1
248fbeb1327a44eadb1324dda9a86a14d00980c8

SHA256
9346693d3bd0d0d6db8a280cb757d0338078988c0df0afc3f46bcb333df76c67

SHA512
8601fdb36d78c4e02e67e19492b3db9c09653a0140d21a62966caf75b79c8e03bd0d264cf6fb8887c21f7a2b072e5f5812e0ec4f6ccae04c302f83c4f2a4ec91

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
163KB

MD5
45c3459009a90376fa0b97a1cf7c2ecf

SHA1
50a5db32c49d39aa01161eb33889f7e2eec27085

SHA256
f5ec532fc8c884f730d3549ef79b83890d469fd4cbef2ea02d1a2fd2e4ee0718

SHA512
f3922c17abd9087cbff910ad8d27c5d9b02459109ff6b1577491fd0d12416051c48baf96a518e750795d54a0705c4dfd286f65ed99f5c44d5cfd7cf716feeacb

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
163KB

MD5
8edd6e1c1eccf011183abc32be647211

SHA1
ba487062bf7a3a49fee2cea3710f3f22785963fd

SHA256
90a2aa061c0067e65f64657c2b0a8196f19e95b0bdcbe2b8a797eee2a9f41e50

SHA512
59f2bcbd17088084e5be13bfa7b9c0bb517208a6640f6921f089487787d77eab24185e744205e8db4ca012df6d475241f5bcb08728fb751ee83cd1aa26868b0d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
163KB

MD5
0b305c8ef9f61a78116a3c40aa5e6029

SHA1
0c4aa6195dfdfa467df29f77d8fa69c740feb61e

SHA256
8c4493a732ec47d73a65327e00d1b2110385f5d9b9b404a1a072f48908d96299

SHA512
243c353507bb00922d93cd6dc12b8a2adec6f42e09250ebbbf6fa6053528956d3b41f5e09d5bd9f4e174197bda1b43b926290a3e56d5fb462fd42aa725c34a6c

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
163KB

MD5
3895ec3059b4b12ec8bbf9d786ca3967

SHA1
b26ab6d5bf8a70c02dfb5df9a8799ec5f526c9d3

SHA256
ca8782d521caf47bd4fc5e33a71340930c50eb3c58500907a084f599e31a2f9c

SHA512
f736714d8c2025ec2dceab3e02c13a8f1d6a6ecca83b83fe6db5bea9b756e37ba5927f695ff890522511871e945977b9a0e443c60bc875b2c1985f3fed56687d

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
163KB

MD5
bf4be2e2c9a92b06536d4f473feaf102

SHA1
5ee0fe008d86110634806abe3ff270237d34e3b4

SHA256
0b7244918702810d1c47a9d044a9d45bfad5b161a2f533324c4d4d015ec26a78

SHA512
b4d6b085c8a90a695be0154bbe87c0778e24d2730c58c3a7901d8464b26a2a0b0d4eb05b3f3a8dc39cd79450f527945c128ea44622681dd9664cfb907baf68ea

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
163KB

MD5
9beaa8a146d78a09fdbef9e48319bf5e

SHA1
4ce17623990944e2903e25abbbc858575b70621d

SHA256
a90e2c99f4d0e0deff3bcb07b29a2f9ad3fb0cc2a0e0718590d702c3976e3ea4

SHA512
51c4fb63cddd36ccd0cb4ba8fd05b2557f8608fedd5706648a76c5196054b7cd20c04d1af1ef4b83ad729e8866979cc027fc473abdda36e68ce4c413d2635198

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
163KB

MD5
866666a6aaaa0fada7d28208cbc6c451

SHA1
4c02f2fb78976a34e06af797049b04715f8a54bc

SHA256
6383dcb6e41aefea0d724941d8cee6c9f5b6e8d406bca38cf93daf2dc4da7627

SHA512
4a79f18e8e23d576e2bfeaed99c9a37659ec49c346e610ec2903a2a9eb575478495b354e09bae4d43830db27bf312e2f76a01fa95615c099a68f246baf923d74

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
163KB

MD5
40eef73f1e80a3f351e7fc06d0a2dc6c

SHA1
5274c08dbfebb8e3f65a75e7a1ed49e78385ba9e

SHA256
583f0279787b8b84f00cafcfcdae00b7f5d2e64f69d4ede599b95c83f8264ba4

SHA512
86d3a86508c0313890a48637e0d4dc2c5664126fa0c1b2f4b8942f4fd76ab33883dcb5affd0d391237d0e1ca00783180adfaf3c424a070895c3883f6cc19c624

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
163KB

MD5
d63b774bf4d53a5e9fb36e1ac4d6ab71

SHA1
78ffd913f24c1a2471422134c2150464422cc6e8

SHA256
b8c7a67aa523a95eabd2712a2fe29ad793b17142129baae6cd8776fc0ab88b6b

SHA512
6b6a0eec70fad41ee85c0e8ac83ad44f501f4186f22b89d6a81f3c7b2b4109b7179eeae9967a2e5c674a16133891e9959dcba050215576f994b0499c875a34fd

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
163KB

MD5
899f7bffb8d6adc9e5b8e6625a7a0e3d

SHA1
730eccb65f1f7934d1b962eb19d2448a094da89f

SHA256
3f8c4ea749d2f4111cfc4de71546f3ba0828c3b0a65dfa478657e8f3d2a7fb47

SHA512
6e817a316607947ca3456f6abdc4598c86b2b6fc5e1f70fb1d038eb3b6b799eab37fe85786203dda0e7cbc93cb9165ddb9979e171a98c55c9f5513a2291dad05

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
163KB

MD5
22652e45e787a0cfb070d3bd42eb4267

SHA1
68b2a80b16634ebafa854950fdd1a7da63b1d69f

SHA256
3ced89ea1e459eef463fad9a4eebd2dfb340e4e358f9b33e0b00a8cdb823d2b8

SHA512
9dde02a3d3324b4c80af71712f06c532c8352d3bc8289329c2ccdeeecd18c54bd88a4fc4da135c9ad73c25cb98b4ef62735f5b23cd5bf1baad01a82e603a96a2

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
163KB

MD5
58a59d2e8af709ca36ba21931e95fa3d

SHA1
9585c16ad3e786fd3bd66f3f1d4a7be5d584dc31

SHA256
9049ba36b5c7f646493891058d118575fb5b73d0370989f0edf9ccadc9def3f6

SHA512
1f815e718c32208498958dc23e47617aea4584d06d48e5b6f1bc46418782385e5261047ae4dea18c8fca22ae68cf2ac9d1944132c6c5b34ca53d5221733b1138

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
163KB

MD5
2409f1f9335adcfb088f7c577d7035bb

SHA1
72c0a3cf29ea3a78e6cce3767660cb38783b6e49

SHA256
45018232dac3216497a00252ddbec4ca98a3f7b59a377f86c321da7feb1d06c3

SHA512
14ed769866084bb58cc30e302e1352ddcb733cc93e258b3651ba4ed2efb9d648a53030409a3413cb231c1f71d6c345f5574882719cc9f2f6c1e43cbe4715e9e7

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
163KB

MD5
4ef4612c4821ce6f8fd2ca350e5528fe

SHA1
ead04788f5b15f197567d80691db1fb22fd1f148

SHA256
007e5635fceba95b84d6a3a4a0fab7b06fa3ca1e42dbe3fe8ac803f53c7ced0e

SHA512
80b26c5c5b0653602180fe675c141c9205782d1d85fa90380ed47cbc5af5c0e8dbbdc4abcccb65f6ac561a8c651fe6ba3771e1b09f06663abf5e1672a066904e

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
163KB

MD5
5347abf836940c4306a291206e9c88bc

SHA1
a19d4360d31438ef71f82108ad093acdfcc0c528

SHA256
c688a21a03f8f429a1963f5c1867b03a961b922ac1c1d1c00fa487df9d169ed2

SHA512
e90f2f2b167e804112ebcab6d1ef5037e20d824592931a17e66248f3c7d07706f8dc62831191cb630e92036f289c823ed5e769e35202ae9d09eb703c31835f94

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
163KB

MD5
bdffc873a4a21725f538ebcccc24b9ec

SHA1
4c8d32e9a42d08b223472da60dbcc4e13182995f

SHA256
7fb96edc20bab4c9ce690a9e124326269d4c6383156cc149784e3cb5baa3b6f8

SHA512
46580e6319e399278be2361862ffae62b345584185d3f0baffb11af448bcdebbe7a9696ee0975db95ceddb80e9d85513197f40c74c181036d2818d2f24038238

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
163KB

MD5
050ae865450a608939430355f78bcb47

SHA1
5a1b2331074f637eca278049765c87eca42a68df

SHA256
6e0f62bcf4bf745e59b160594f20130f48eaee469e6ccd15900b654d9cd69add

SHA512
3667bc870c07ba55a33f64041f24612e439f0c849320d09d42239382756b129931fa897542f1c01f107236e5ac1ed3272ef64281c32ba37e1382d3298354c562

Download Submit
memory/8-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-517-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-512-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/820-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/828-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/828-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/920-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1364-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1364-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1608-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1640-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1684-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1684-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1856-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1904-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1940-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-595-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2852-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3272-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3272-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3332-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-535-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3480-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3488-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3488-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-500-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3568-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3696-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3696-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3728-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3824-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4012-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4088-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4212-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4212-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4216-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-506-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4224-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4256-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4256-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4412-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4412-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4548-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4548-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4584-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-488-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4588-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-504-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4672-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4676-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4716-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4976-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4976-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5036-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5036-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download