berbew | e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Size

93KB
MD5

0f7c3089accfb2782d5bee5abeca8c90
SHA1

a69d892fae8b749e90a4b28d7b4c50b534861541
SHA256

e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3
SHA512

2228a1b58e8484f18c5e8a2d64271df685d172eef0dcbbc48404cafd9af6c93a1500d007e7b46e0a7a59c3b772f0619d1c2e97ca65ef5fdbfbe582d117091c08
SSDEEP

1536:Z33HBe+GD379SUCXCI1DaYfMZRWuLsV+1Z:p3hrG/9SUCXCIgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Daconoae.exePnlaml32.exePqpgdfnp.exeQqijje32.exeBalpgb32.exeOpakbi32.exeAgjhgngj.exeAminee32.exeDhhnpjmh.exeBgcknmop.exeBnpppgdj.exeDdonekbl.exePgllfp32.exeBnhjohkb.exeBcebhoii.exeBfkedibe.exeNjefqo32.exePmannhhj.exeQqfmde32.exePdfjifjo.exePjhlml32.exeAnogiicl.exeNnlhfn32.exeOgkcpbam.exeDhocqigp.exeAndqdh32.exeDmefhako.exeDfpgffpm.exeBeihma32.exeDkifae32.exeNckndeni.exeAfoeiklb.exeBnbmefbg.exeCeckcp32.exee083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exePjmehkqk.exeBeeoaapl.exeCaebma32.exeCegdnopg.exeNgdmod32.exeOjllan32.exeCjinkg32.exeCdabcm32.exeDanecp32.exeBcoenmao.exeCjmgfgdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Nnlhfn32.exeNgdmod32.exeNlaegk32.exeNckndeni.exeNjefqo32.exeOcnjidkf.exeOpakbi32.exeOgkcpbam.exeOpdghh32.exeOjllan32.exeOcdqjceo.exeOjoign32.exeOcgmpccl.exePnlaml32.exePdfjifjo.exePfhfan32.exePmannhhj.exePfjcgn32.exePqpgdfnp.exePjhlml32.exePdmpje32.exePgllfp32.exePcbmka32.exePjmehkqk.exeQqfmde32.exeQjoankoi.exeQqijje32.exeAnmjcieo.exeAgeolo32.exeAnogiicl.exeAeiofcji.exeAjfhnjhq.exeAgjhgngj.exeAndqdh32.exeAeniabfd.exeAfoeiklb.exeAminee32.exeAgoabn32.exeBnhjohkb.exeBcebhoii.exeBnkgeg32.exeBeeoaapl.exeBgcknmop.exeBalpgb32.exeBgehcmmm.exeBnpppgdj.exeBeihma32.exeBfkedibe.exeBnbmefbg.exeBcoenmao.exeCjinkg32.exeCdabcm32.exeChmndlge.exeCaebma32.exeCdcoim32.exeCjmgfgdf.exeCeckcp32.exeCmnpgb32.exeCdhhdlid.exeCnnlaehj.exeCegdnopg.exeDfiafg32.exeDanecp32.exeDhhnpjmh.exe

pid	process
2212	Nnlhfn32.exe
1936	Ngdmod32.exe
4752	Nlaegk32.exe
3560	Nckndeni.exe
5040	Njefqo32.exe
3876	Ocnjidkf.exe
4452	Opakbi32.exe
2932	Ogkcpbam.exe
3844	Opdghh32.exe
3952	Ojllan32.exe
4176	Ocdqjceo.exe
4924	Ojoign32.exe
3224	Ocgmpccl.exe
960	Pnlaml32.exe
1700	Pdfjifjo.exe
1460	Pfhfan32.exe
1252	Pmannhhj.exe
60	Pfjcgn32.exe
4616	Pqpgdfnp.exe
1400	Pjhlml32.exe
4652	Pdmpje32.exe
4068	Pgllfp32.exe
1080	Pcbmka32.exe
5056	Pjmehkqk.exe
444	Qqfmde32.exe
5076	Qjoankoi.exe
1960	Qqijje32.exe
772	Anmjcieo.exe
3744	Ageolo32.exe
4800	Anogiicl.exe
2740	Aeiofcji.exe
1348	Ajfhnjhq.exe
64	Agjhgngj.exe
2404	Andqdh32.exe
3076	Aeniabfd.exe
3392	Afoeiklb.exe
232	Aminee32.exe
4136	Agoabn32.exe
2692	Bnhjohkb.exe
4884	Bcebhoii.exe
4868	Bnkgeg32.exe
5044	Beeoaapl.exe
4676	Bgcknmop.exe
3504	Balpgb32.exe
3480	Bgehcmmm.exe
1468	Bnpppgdj.exe
4364	Beihma32.exe
2788	Bfkedibe.exe
2208	Bnbmefbg.exe
4772	Bcoenmao.exe
4640	Cjinkg32.exe
2052	Cdabcm32.exe
3308	Chmndlge.exe
1656	Caebma32.exe
1388	Cdcoim32.exe
3940	Cjmgfgdf.exe
4120	Ceckcp32.exe
392	Cmnpgb32.exe
1152	Cdhhdlid.exe
4784	Cnnlaehj.exe
2704	Cegdnopg.exe
2292	Dfiafg32.exe
3484	Danecp32.exe
2176	Dhhnpjmh.exe

Drops file in System32 directory 64 IoCs

Processes:

Pmannhhj.exeBalpgb32.exeCegdnopg.exeOcnjidkf.exeBcebhoii.exeBfkedibe.exeDmefhako.exeOgkcpbam.exeOpdghh32.exePdmpje32.exeDanecp32.exeOjoign32.exePqpgdfnp.exeAnogiicl.exee083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exeNgdmod32.exeAgeolo32.exeAjfhnjhq.exeCdabcm32.exeNnlhfn32.exePjmehkqk.exeChmndlge.exeCjmgfgdf.exeCeckcp32.exeAfoeiklb.exeAgoabn32.exeBnhjohkb.exeDkifae32.exeQjoankoi.exeDaconoae.exePfjcgn32.exeBcoenmao.exeAnmjcieo.exeDogogcpo.exeDhocqigp.exeOpakbi32.exeAndqdh32.exeAeniabfd.exeDfiafg32.exeAeiofcji.exeOcgmpccl.exeBeihma32.exeOcdqjceo.exeCjinkg32.exeCdcoim32.exeDdonekbl.exeNckndeni.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3196 4628 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3196	4628	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pqpgdfnp.exeBcebhoii.exeDmefhako.exeDkifae32.exePmannhhj.exeAminee32.exeAgoabn32.exeDfpgffpm.exeBnpppgdj.exeBnbmefbg.exeCjinkg32.exeOjllan32.exeAnmjcieo.exeAeniabfd.exeBeeoaapl.exeAnogiicl.exeAfoeiklb.exeCdcoim32.exeDanecp32.exeNgdmod32.exeOcdqjceo.exePdfjifjo.exePgllfp32.exeDogogcpo.exeDmllipeg.exePnlaml32.exePfhfan32.exeBgcknmop.exeCnnlaehj.exeBnhjohkb.exee083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exeQqijje32.exeAeiofcji.exeAgjhgngj.exeCmnpgb32.exePdmpje32.exeQjoankoi.exeBnkgeg32.exeCdabcm32.exeNnlhfn32.exeOcnjidkf.exeBeihma32.exeCaebma32.exeCegdnopg.exeDfiafg32.exeDeagdn32.exePjhlml32.exeAgeolo32.exeAjfhnjhq.exeCjmgfgdf.exeBcoenmao.exeOgkcpbam.exeAndqdh32.exeBgehcmmm.exeBfkedibe.exeNlaegk32.exeNjefqo32.exeOpakbi32.exeQqfmde32.exeCdhhdlid.exeDaconoae.exeDhhnpjmh.exeDhocqigp.exeNckndeni.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe

Modifies registry class 64 IoCs

Processes:

Andqdh32.exeNgdmod32.exeOcnjidkf.exeOpdghh32.exeBgehcmmm.exee083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exePjmehkqk.exeOjllan32.exeBgcknmop.exeBcoenmao.exeNnlhfn32.exePqpgdfnp.exeQjoankoi.exeBnbmefbg.exeDmefhako.exeDaconoae.exePnlaml32.exeAnogiicl.exeBeeoaapl.exeCdhhdlid.exeNjefqo32.exePdfjifjo.exeBnhjohkb.exeBalpgb32.exeCdabcm32.exeCnnlaehj.exeAgeolo32.exeBeihma32.exeDhhnpjmh.exeAminee32.exeNlaegk32.exeAnmjcieo.exeCjmgfgdf.exeCeckcp32.exeCmnpgb32.exeOcgmpccl.exeCaebma32.exeOgkcpbam.exePfjcgn32.exePcbmka32.exeAeniabfd.exeAgoabn32.exeBfkedibe.exeCjinkg32.exeDkifae32.exeDfiafg32.exeOjoign32.exeBnkgeg32.exeDfpgffpm.exeDeagdn32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exeNnlhfn32.exeNgdmod32.exeNlaegk32.exeNckndeni.exeNjefqo32.exeOcnjidkf.exeOpakbi32.exeOgkcpbam.exeOpdghh32.exeOjllan32.exeOcdqjceo.exeOjoign32.exeOcgmpccl.exePnlaml32.exePdfjifjo.exePfhfan32.exePmannhhj.exePfjcgn32.exePqpgdfnp.exePjhlml32.exePdmpje32.exe

description	pid	process	target process
PID 2524 wrote to memory of 2212	2524	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe	Nnlhfn32.exe
PID 2524 wrote to memory of 2212	2524	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe	Nnlhfn32.exe
PID 2524 wrote to memory of 2212	2524	e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe	Nnlhfn32.exe
PID 2212 wrote to memory of 1936	2212	Nnlhfn32.exe	Ngdmod32.exe
PID 2212 wrote to memory of 1936	2212	Nnlhfn32.exe	Ngdmod32.exe
PID 2212 wrote to memory of 1936	2212	Nnlhfn32.exe	Ngdmod32.exe
PID 1936 wrote to memory of 4752	1936	Ngdmod32.exe	Nlaegk32.exe
PID 1936 wrote to memory of 4752	1936	Ngdmod32.exe	Nlaegk32.exe
PID 1936 wrote to memory of 4752	1936	Ngdmod32.exe	Nlaegk32.exe
PID 4752 wrote to memory of 3560	4752	Nlaegk32.exe	Nckndeni.exe
PID 4752 wrote to memory of 3560	4752	Nlaegk32.exe	Nckndeni.exe
PID 4752 wrote to memory of 3560	4752	Nlaegk32.exe	Nckndeni.exe
PID 3560 wrote to memory of 5040	3560	Nckndeni.exe	Njefqo32.exe
PID 3560 wrote to memory of 5040	3560	Nckndeni.exe	Njefqo32.exe
PID 3560 wrote to memory of 5040	3560	Nckndeni.exe	Njefqo32.exe
PID 5040 wrote to memory of 3876	5040	Njefqo32.exe	Ocnjidkf.exe
PID 5040 wrote to memory of 3876	5040	Njefqo32.exe	Ocnjidkf.exe
PID 5040 wrote to memory of 3876	5040	Njefqo32.exe	Ocnjidkf.exe
PID 3876 wrote to memory of 4452	3876	Ocnjidkf.exe	Opakbi32.exe
PID 3876 wrote to memory of 4452	3876	Ocnjidkf.exe	Opakbi32.exe
PID 3876 wrote to memory of 4452	3876	Ocnjidkf.exe	Opakbi32.exe
PID 4452 wrote to memory of 2932	4452	Opakbi32.exe	Ogkcpbam.exe
PID 4452 wrote to memory of 2932	4452	Opakbi32.exe	Ogkcpbam.exe
PID 4452 wrote to memory of 2932	4452	Opakbi32.exe	Ogkcpbam.exe
PID 2932 wrote to memory of 3844	2932	Ogkcpbam.exe	Opdghh32.exe
PID 2932 wrote to memory of 3844	2932	Ogkcpbam.exe	Opdghh32.exe
PID 2932 wrote to memory of 3844	2932	Ogkcpbam.exe	Opdghh32.exe
PID 3844 wrote to memory of 3952	3844	Opdghh32.exe	Ojllan32.exe
PID 3844 wrote to memory of 3952	3844	Opdghh32.exe	Ojllan32.exe
PID 3844 wrote to memory of 3952	3844	Opdghh32.exe	Ojllan32.exe
PID 3952 wrote to memory of 4176	3952	Ojllan32.exe	Ocdqjceo.exe
PID 3952 wrote to memory of 4176	3952	Ojllan32.exe	Ocdqjceo.exe
PID 3952 wrote to memory of 4176	3952	Ojllan32.exe	Ocdqjceo.exe
PID 4176 wrote to memory of 4924	4176	Ocdqjceo.exe	Ojoign32.exe
PID 4176 wrote to memory of 4924	4176	Ocdqjceo.exe	Ojoign32.exe
PID 4176 wrote to memory of 4924	4176	Ocdqjceo.exe	Ojoign32.exe
PID 4924 wrote to memory of 3224	4924	Ojoign32.exe	Ocgmpccl.exe
PID 4924 wrote to memory of 3224	4924	Ojoign32.exe	Ocgmpccl.exe
PID 4924 wrote to memory of 3224	4924	Ojoign32.exe	Ocgmpccl.exe
PID 3224 wrote to memory of 960	3224	Ocgmpccl.exe	Pnlaml32.exe
PID 3224 wrote to memory of 960	3224	Ocgmpccl.exe	Pnlaml32.exe
PID 3224 wrote to memory of 960	3224	Ocgmpccl.exe	Pnlaml32.exe
PID 960 wrote to memory of 1700	960	Pnlaml32.exe	Pdfjifjo.exe
PID 960 wrote to memory of 1700	960	Pnlaml32.exe	Pdfjifjo.exe
PID 960 wrote to memory of 1700	960	Pnlaml32.exe	Pdfjifjo.exe
PID 1700 wrote to memory of 1460	1700	Pdfjifjo.exe	Pfhfan32.exe
PID 1700 wrote to memory of 1460	1700	Pdfjifjo.exe	Pfhfan32.exe
PID 1700 wrote to memory of 1460	1700	Pdfjifjo.exe	Pfhfan32.exe
PID 1460 wrote to memory of 1252	1460	Pfhfan32.exe	Pmannhhj.exe
PID 1460 wrote to memory of 1252	1460	Pfhfan32.exe	Pmannhhj.exe
PID 1460 wrote to memory of 1252	1460	Pfhfan32.exe	Pmannhhj.exe
PID 1252 wrote to memory of 60	1252	Pmannhhj.exe	Pfjcgn32.exe
PID 1252 wrote to memory of 60	1252	Pmannhhj.exe	Pfjcgn32.exe
PID 1252 wrote to memory of 60	1252	Pmannhhj.exe	Pfjcgn32.exe
PID 60 wrote to memory of 4616	60	Pfjcgn32.exe	Pqpgdfnp.exe
PID 60 wrote to memory of 4616	60	Pfjcgn32.exe	Pqpgdfnp.exe
PID 60 wrote to memory of 4616	60	Pfjcgn32.exe	Pqpgdfnp.exe
PID 4616 wrote to memory of 1400	4616	Pqpgdfnp.exe	Pjhlml32.exe
PID 4616 wrote to memory of 1400	4616	Pqpgdfnp.exe	Pjhlml32.exe
PID 4616 wrote to memory of 1400	4616	Pqpgdfnp.exe	Pjhlml32.exe
PID 1400 wrote to memory of 4652	1400	Pjhlml32.exe	Pdmpje32.exe
PID 1400 wrote to memory of 4652	1400	Pjhlml32.exe	Pdmpje32.exe
PID 1400 wrote to memory of 4652	1400	Pjhlml32.exe	Pdmpje32.exe
PID 4652 wrote to memory of 4068	4652	Pdmpje32.exe	Pgllfp32.exe

C:\Users\Admin\AppData\Local\Temp\e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe
"C:\Users\Admin\AppData\Local\Temp\e083b2cdcdf1ea2c4cbe3f0072351b01cf248fb5d9331cd50fded68f40686cc3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Ngdmod32.exe
    C:\Windows\system32\Ngdmod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\Nlaegk32.exe
      C:\Windows\system32\Nlaegk32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 404
        75⤵
        Program crash
        
        PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4628 -ip 4628
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
93KB

MD5
0f3be1ce90d693bbb4553cb904bb48ac

SHA1
1435a93327201695e24b3c9db074b7eb370fa1a2

SHA256
36c049e3443bf515757d35e41bdc3387836a5505d67a401e24d1f0a2eee4a9e2

SHA512
15c19ee52be6f227d17c1fc206126107913fbbdbf3250d02e3cb0b250c391ff9a60ee6b3482508c7d5eb2d93bd2fc3e9c04616a02087294933b00e33fd9a5f5c

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
cd60851b2be7ce00d4b6ca49a16abd6d

SHA1
52030ce00de7b921a2eda466d7b15a099ffaab21

SHA256
cae4901ce1679f2bd6ca651a0441ef5a54635de7baef5a486960c19ee9e41fcb

SHA512
9e176ce4c85b069c272ecf5a85353d974157315f4dd2079bd209cbd8be6780ae8f5889a9ef01b3405716b99f8b7f7de9102618f059b9748d6f8f5252584dfc03

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
93KB

MD5
f696a5e42ac6210f20dc8a91d395c472

SHA1
e54c60015273fcc87d87479805951cd1ce74b908

SHA256
0a429d44845ff748e2d124288370f7d5194730890ca328ffe335ce7f4d52c162

SHA512
8cbffff4890faaaed0cb5f7b08c92298241b273874dbccb4f0182fa4b382ee58bcf55867b4c04dc349e25d42bd5c2891135c15bc30cddbe7b73f3a287f1a37f2

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
0d79cb91e4ad84d0c9ec8c961982bc34

SHA1
ca31314306495f0531661fe11f0f01c494f6b408

SHA256
6c0bcadcf68816f97846c0e53164d15f7495c3466b9092318e05fff9a5492c02

SHA512
854709743bcb35a80feb09c18b2de64d41e5e058f578e59064190ab9dffc8d4a1b21176d4cc07c85d4c1c19684ff44e80a228fa8a9ded1d0f4d68dc9cc1e8412

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
93KB

MD5
2f6adff7761324eddcf99c8ad11a8339

SHA1
c50f708c842ce75435a5f27477664c1b6506a157

SHA256
b7269d524a5885af6c2bab4b0d9fdf990489776f8bf2f2e6ae567c24ec73f0a8

SHA512
ec79b81cc41a9374efba1d33f38cf1f33869f724ee9da9888e0066576b499252d16c1d70a76975ac8ce32d866745fb13e382dcd74fbcec83479d8976340b6ea6

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
93KB

MD5
524f0504bdc07e0987025191f27a40a2

SHA1
e0be23df42527f1b534d93cbd8ff11f5e02bf369

SHA256
58f4a2aa829c21edbc77141390e21770a950cc9606bbee0bbfbdadf70217f64b

SHA512
556742347e9eedd8c2c39dee4e1cf51f594217b3065913f4804d97ee18ef750410adbf1c16729ee8d2f8cbf508b162bdb4aaf027c3083280c256443e0f585a2d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
5ac1c687fb21dd332a520eec63eac847

SHA1
f94d1604203c5a6f3b4d198ef8bfa2ef58901850

SHA256
a8b2babbf45df5324cdaae4ec8bcf2c7aab24b7d61855c0390f23d665b7ea46e

SHA512
b60b3d1d68c4f4fe131f4454b12d23776743c6841b02c2160a8e8518d7c41a0c96c93670f91d31d39252945412fb52fea125e73130970e1f5ce959a163480da5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
5bb6ad19506a815d0abbbc95cde3dae5

SHA1
2787f92056b29dd7feedaed2bb0e719d96bc63e4

SHA256
e78b2b717e8e8bee51cb246af258abea59b3693f4c1db3f75d925970a3712296

SHA512
38bd58825c7d5ed67df5d57bd18dc31e5bb13e3f76dc6cd8898b096bfdb3be841a2b9cb930a65e54e9cb759bb9c994b669529c557a34b941181db62e6631197e

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
93KB

MD5
bcb063e6ae2975d2f95a3ed60ba828d3

SHA1
5a5efa97e0f0c387869fb77489b55456ee2eb022

SHA256
e7229bb3eed0324666623c73a0aafdc4584d9052024a3f585ba5d204a3843bd9

SHA512
ece210a9ecf701ac613efe3cfc6b120075e3b910384504e76927229dafaf5e2ba4f3ea6d5c2f1abad8553dfbf798c0222b735302e0229db8b555378b5ea05018

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
93KB

MD5
7b40f108b8558106d71983422664cb97

SHA1
ca8b17bcb5f51c6099fb3f7fcbc30d0c49f1979c

SHA256
9f2086e96d41ac79a7a9675d78bcee7c6079c84942d788243074b22296ef4436

SHA512
fb647d002077b673169b5564ad26d4b0ee6b91b09867190808dc086f5e8d0c2166040ff37359f600b48674a9c00f392d453ad62dfafc098a47f7d260ac1622cd

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
f268b4145372f7351675b376a04f8a50

SHA1
b98160b14152a2b230b5804a3de4960992cea348

SHA256
cf6672575f0fa5fb3b4b7df0dc919c52b9c4951c441379957406e08659fb557e

SHA512
656984b48c67b2b10f8e6bd515d44e751453d2fa282c55f90d22b992d0eeb5d0c7fcd6fb430bc4cb57a57f1a2e6057faa91b46f1e0e3d67724188803f4057233

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
95a031ee22b69a4b44073cb1e758c279

SHA1
916161fec3856ec858dfcaac1d4dd4b625ddf848

SHA256
b2c80db53a788631aaad001304a94ba6e531c236e1ce4d0133a741903d413bf7

SHA512
5c696064caae6570a210ff536b6d4ec71aefd378ef63c1be5041a6be1aeacd4771bed13f645eef01c616e81508dd5f773c8c75ca6849965e1e91f1ec0fa9a636

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
93KB

MD5
31a2c56e5bbfacf10c9486c9e6820877

SHA1
2cf60531fa8122eaef61f0b21ed9312f4830c8b4

SHA256
f2970d3955ce8e47f4140d78dd9af1c8f2eb09320507f1bc8c28b1d908ab1c29

SHA512
461a8697de8dd2762ba94922d17769c319983e5c3c5499ae95c3d8d5c35bee0b0c578f78632df24a46b0891c6a420aeb2666d48459237c09b8e435da4e8eaef7

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
93KB

MD5
4995a1a865378f49dafabe48fcfe62d4

SHA1
5046d8e91cfa1f58a35a816b50c8f6358d00f7fa

SHA256
4551f961d65326221b6f2ab54c53c2a0ba19b57bd328d06c9b8aaa7f25226281

SHA512
d4147ab380d5608c4c900e7b2237453b24641919482c0d343300c88552f4418f43ff3808e151a6a8a68323f9f6607858d82535b70903bf4ffac085782a260eca

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
541d25bfd30e73caf2598c5ea14cf527

SHA1
4eb5de7f3e53631b6e1559ea50e8d6ceff932993

SHA256
3d702d4760c3fea1f7ea51f31a12354063c3e61186d58c22a292c8581e5ba226

SHA512
28ecbb71406d2d6e60375e6b861a3f64dacaf71558758ace6e7cdc318bc29e715c7cab024a0da4aedcf8de2f896e56dedd24cc1aabbd6ade2a4a9afb8e3b23fc

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
45cd4283795613a8f8080a45348f9a67

SHA1
bc43e8a0756921d0d1991f9a44c4d57e8fb3a2f6

SHA256
ec96aae108a4f15bd18cc30b08b3b1913fb0b1db59536bed06157d36d3a6d009

SHA512
8275f1f096571fac25397a9b7ffd2e84cc3584876eb74c6b7fa6499c1d7a605a0418e75a5734ca46bf4399ef0030d73227c8402031ddc211a33e73a911b0fd80

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
93KB

MD5
64884facd28b684a7e7212f532419938

SHA1
5daa809f3c5e4d6571f834df124f1ef64f58fcb1

SHA256
93434d083e330fd566afc194f763730fd6cf8c3e9e640c2cd0a1e6a730746f8d

SHA512
105404d475aa5cee2e64cb725b775ed73aa796c107eb631bcef0b90e8809216fb7f3019e3abe9d8cede954a0adda3f10a797788a20cce2429e545997a6f2196c

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
93KB

MD5
ea833af0cb438076329d557e7d49b99d

SHA1
8a0cf0c19c3d9f01f16c4ec3f86ebdde2a9931d0

SHA256
9fc97ad4897e5a2b0211811bc9b460df07f17fbe234b1ec39a593ea2026caebb

SHA512
1c865e163c176f50c67c3d5a045115b906408a8202c24024821d25173a5c39dd8cce287757af39c23965672af04d314dffcbf1ceb34fdce9b12d75443b06fbb3

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
b46c3f86b8f49436154b16da9538c44d

SHA1
97e4beed93afbce3e4877112efce33ca6a9556c0

SHA256
e077848d3237f0d2399afeab8a34bc8a385c3e118c34ee9333cd56580171c191

SHA512
1319304f05dbb3c06de6525a7264f1a97669a35c9d5bcf1cb90efc9aeb44c94277a506e36e5f3779269ea1011fe986e730f4c5d7e56401cfd22e0e6c3d9056e0

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
c51dac303a08e3fb57115583a601c774

SHA1
1ac904ab5288461305f81abd838022f35e5ccf51

SHA256
85ebde2c49c26c531e071d787891c19b43f0c7ae9eeb0cc0f9bef50e3b5e7d61

SHA512
083cdb2b84449d5d6ad5bfde0aa237ee3b26087e6d767e75f3b48c72d4de3f12dbe30c18d4e463c6955103c854a8d276cd938114175e5f8c6397b76c461ac0da

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
b61ff5c398b0c34687e351c27d979740

SHA1
9b87985e343d9e52560a247b7a515366924bb3d5

SHA256
9ceae8c3047fd253cc136991b6f842c8fa2f330ec6b7775080a7a1bc99dff1c8

SHA512
ff5c460d881059ba8d796d0b47d0c3515fcf4c95141e4bbcd8986a893d7d2dc162974f00f1e4d0042c2f76db37ddbb4c0a42f2be9ce04122d6a1ec7874696d4d

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
7bb0f103ab3c1f620601ae7feb9a7085

SHA1
0b453b8beac3e15733c9a0dcdf9e4adea46434d7

SHA256
a57e35ba0af0730c884d337b1fff33494d3740de868efb4b2f17167795f474cf

SHA512
6ca4285bb917d980e6dafd2a65b4d127e927f93a04b42d3c00348f31d20310479a3ba348a99c9eda9801e8a00427900c884fee9b4be57d7dcff405f37a18dd50

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
93KB

MD5
5e3b2baeac9578a04ebe7cbb99ac1421

SHA1
996567e30d169a30ed177ce38f1f0e30e47b4467

SHA256
a24efdb93281881e1159b56034f83b41b809f585d37751e95902d7a62d54e333

SHA512
2c7ada1f22230bb0e3c8a4e1ce921f2a544a2d63b795f450d7df02c4436d04a5c2b5c3addf2da488f068da29432bffcdc2bf285d4f7cf76a8efbdc217c701dd3

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
050eebed6b7f2dd750bfa65b35dd439e

SHA1
fd39e320472e1c157da00fd1556689421cc02ead

SHA256
4caf905da909bd161b6e9d51d4d317f3a9585164e7b1da2e43a1da1602072577

SHA512
02ca74ed73aa877fd60de642174d864bec886665971f933ea698cda9b36e4a6d7d77937ba497bd24a9c19683c294fe8f14f29f3a820ae87907997f6c91bd403c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
93KB

MD5
2ef23626961304dfa4276ba365dbe295

SHA1
76acf6821f19d102f0cb1814107003898f94ca31

SHA256
a31339dbcbf1d85c1c2ae2dd8ed0d5e058afe3ce95e1bb956cdcb292bf75efdd

SHA512
44408a5b20b8e272625180bca6ec40a29f9b981c6d810de21e1cf2cd60468a90adfd0fa3cc229734620ebf657ddc5b4441958165f5af68fcd0fd9e80309f89e8

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
93KB

MD5
703b8690356914bc35d786ce9c8494f1

SHA1
915f6a1ae120e82f72890fdccf4958afb4c69d29

SHA256
5b7597009a875d9c3a4836d9b9729f55b90ed68a4ea821a5560f1e7333637252

SHA512
10829074dc5daf2a87501819373a620ac21fb86b2668e4d4c70b4a6d8f239db3efd259b6cb39a9c64e42f948c2ca1c53627259cc12c48edba762d7c4a85f503c

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
93KB

MD5
d039c47b29a6824d2110b3ea957a6c18

SHA1
a5342167dd18dc307f2be3f15621d678bcd6e69e

SHA256
5f17cbf275e54741bd6fd4dcc6b29cd80231e6931ceec6ebfad602f514f9a0be

SHA512
0737629f14a5e945d771bb1029767528b0fbb236b473d11a229790a134aa7477d37c8ed855d732e0cd88a4617d6dc0bf60ade56e6d0196a731a02cd4d616bd3c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
93KB

MD5
3781cfc2e889ac6a7cb141bda9a3d4ad

SHA1
f7cdb0ae4128f54473bc87069287f27c3b71a48f

SHA256
98aa0feba18aa3adb70c83ba2b5811e034ce686fcfdbdd2e34ad9e1645054586

SHA512
48e04288d95428055f6ee332255b01b1baf2bed27132b3ed624c0738ec84895d130a749ca838f74ba2268e795954c4b88f05f87cabd6249d56c308131eaccc99

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
93KB

MD5
4cb1284ff8d41ab1882cbbadf618af19

SHA1
8751b03bd8074615bd9b8e313344c85d207c8c62

SHA256
178ab158f6259a5e7fe7613ab89f5535cf2ca7965a8d03d9e5de27b48426bd58

SHA512
cb8d19879ac37deebe5c8c1a6da942e508c015e5f537d88bb0e9a94e608c9443a549a521187e44da52c2120e17d420f336993734255c7135abb536677561fd8d

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
93KB

MD5
0b473aa637e1058606f7eb84629d1eac

SHA1
e950efb2d149ef83fb35040c868c63f54dbf6bef

SHA256
02c4726d76ed53430c8bff241e08e547cfc2e7e1d6e2b0e47776722d5e45130a

SHA512
cbad775b950343d8dab15280603090bd7d36643e0f6da106c122d3b80f9ac894650539cd3f4f9399f36b638c15ea153569adeb06c980c5ea12b9c0d52525eff2

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
c2e36e46a7956a80fffc89af623de8ef

SHA1
9b73d2da9c0d5bbe83d394ebb3fe93bb5577eeca

SHA256
9a440e5563bff2183d2a14c7f3638a616bb2d7990bdc4e00596a982310bbbbf9

SHA512
7d375d73df19dee8057e0a20e2e3c9df53c16d83efbe2482aeebbdb68bdcb06f03b1cd2ee65af4df689c8c2a0fee4f00e6a1dd6e6f48c76c26ae993fa491d662

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
93KB

MD5
ce135b1c1ffcb241c2f79fa4f63a1850

SHA1
a8761a801ccb95f7e088a90d7ec0358a16870f77

SHA256
7318f8919bd79aa52b2fbb6911c00f0a51481ac1a4c9aa19c423a80319235d5e

SHA512
382aec9866c6461ab9746853992ab587f97e9db4bc392da2f837c1df4f1c39efc1c1cba4c8bf39d7c166de312f2f259974735721356c6e9dbed27c8b35c46ee2

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
93KB

MD5
7c8e9bef9d8a60bfe803a7bd6412b1bb

SHA1
ceb6036b88fc552d0077359f559b87af843f5c80

SHA256
b07f87d60f2d69bc93c7237e4fa7bc25aaf8259faddc6db30dde5e866e34a1ab

SHA512
20456fd636ae31da14b6c0c6ebc10b1af65bdc196f8f4eecf28b6fc8b1503f53cf260967109012d1061a63de1765ad99ae47f3b88c99cb954d542b53cc89ed38

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
abbbad103f723fa554e7db5708e59e0c

SHA1
3a836a8c52b0c2775bc5ee5fb77c686d4b8b5d17

SHA256
81a8d67b0f999c58913b619758572c4828882702ad8f8a2015bb386380c1de37

SHA512
71f2f94f1d02fd90e4aac7d82f27e106e91f1902d71a4c5c6ebc667f07a0cf22460d84e7220e483b4fb59aa4e398198dfd474d99b8a10dfec77d2dbbb76ffde3

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
d301302c2079b80235e8db4db553873d

SHA1
17ffcea8da5d92282f7816625bbe647d621c4096

SHA256
fa0ba861b8b9761d4f009521cb1ecda8ccc80871cdb1224a6957d710b78d33a6

SHA512
5bfbace4c1f50bff0248c7c57d1c0ae09248a6b9c406807d83f002c7d2130a97ee30fb8fc8ed0735bb4de6c68e157b8496f0cbbb33e05f98d0b911d868584d78

Download Submit
memory/60-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2692-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download