berbew | 5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Size

96KB
MD5

af4f6bd986af33d834cf5ff72a59cb40
SHA1

91aa2bbd828afa1cc4e0f973273dd4a3bdae1f55
SHA256

5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4
SHA512

e16f95cf7977e6795925f7f532cdeebaa1ea40f2082547f9f3f0eeec4168b6811a0c7d4776de46b3d5151e919c64d499e83853a7700a3f246a0340b3259ed940
SSDEEP

1536:4Yl1iCqEqEsjeotjhctOXwSIE0w8HQdjZ9v2La7RZObZUUWaegPYA1:7lXqEsj/tjoOXwSILXwRQaClUUWaey

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dkifae32.exeDkkcge32.exeAgglboim.exeBebblb32.exeBfkedibe.exeChjaol32.exeDopigd32.exeChokikeb.exeCegdnopg.exeDjgjlelk.exeCffdpghg.exeDhmgki32.exeDknpmdfc.exeAqncedbp.exeBnmcjg32.exeCjkjpgfi.exeCnicfe32.exeDeagdn32.exeAnfmjhmd.exeCjinkg32.exeChagok32.exeBfhhoi32.exeAmpkof32.exeQgqeappe.exeAcjclpcf.exeAqppkd32.exeDaconoae.exeCmgjgcgo.exeCeqnmpfo.exeDmefhako.exe5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exeQffbbldm.exeAeniabfd.exeBjmnoi32.exeBffkij32.exeCeckcp32.exeDhhnpjmh.exeCnkplejl.exeDmjocp32.exeQcgffqei.exeAndqdh32.exeAfoeiklb.exeAgoabn32.exeDhocqigp.exeQmmnjfnl.exeAepefb32.exeBmkjkd32.exeBfdodjhm.exeBmemac32.exeCmiflbel.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Qgqeappe.exeQmmnjfnl.exeQcgffqei.exeQffbbldm.exeAmpkof32.exeAcjclpcf.exeAjckij32.exeAqncedbp.exeAgglboim.exeAnadoi32.exeAqppkd32.exeAcnlgp32.exeAfmhck32.exeAndqdh32.exeAeniabfd.exeAfoeiklb.exeAnfmjhmd.exeAepefb32.exeAgoabn32.exeBjmnoi32.exeBmkjkd32.exeBebblb32.exeBfdodjhm.exeBjokdipf.exeBeeoaapl.exeBffkij32.exeBnmcjg32.exeBfhhoi32.exeBnpppgdj.exeBanllbdn.exeBfkedibe.exeBmemac32.exeBapiabak.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exeCenahpha.exeChmndlge.exeCjkjpgfi.exeCmiflbel.exeCeqnmpfo.exeChokikeb.exeCfbkeh32.exeCnicfe32.exeCeckcp32.exeChagok32.exeCfdhkhjj.exeCnkplejl.exeCajlhqjp.exeCdhhdlid.exeCffdpghg.exeCegdnopg.exeDfiafg32.exeDopigd32.exeDejacond.exeDhhnpjmh.exeDjgjlelk.exeDmefhako.exeDhkjej32.exeDkifae32.exeDmgbnq32.exeDaconoae.exeDhmgki32.exeDkkcge32.exe

pid	Process
3188	Qgqeappe.exe
4056	Qmmnjfnl.exe
4244	Qcgffqei.exe
4020	Qffbbldm.exe
2560	Ampkof32.exe
4708	Acjclpcf.exe
1688	Ajckij32.exe
1064	Aqncedbp.exe
3056	Agglboim.exe
3728	Anadoi32.exe
692	Aqppkd32.exe
4872	Acnlgp32.exe
3568	Afmhck32.exe
552	Andqdh32.exe
2228	Aeniabfd.exe
2664	Afoeiklb.exe
828	Anfmjhmd.exe
392	Aepefb32.exe
2488	Agoabn32.exe
4292	Bjmnoi32.exe
3588	Bmkjkd32.exe
3708	Bebblb32.exe
3732	Bfdodjhm.exe
2116	Bjokdipf.exe
3864	Beeoaapl.exe
3200	Bffkij32.exe
4864	Bnmcjg32.exe
4624	Bfhhoi32.exe
2724	Bnpppgdj.exe
1260	Banllbdn.exe
5068	Bfkedibe.exe
624	Bmemac32.exe
1368	Bapiabak.exe
4180	Chjaol32.exe
2728	Cjinkg32.exe
4100	Cmgjgcgo.exe
2396	Cenahpha.exe
5052	Chmndlge.exe
4140	Cjkjpgfi.exe
4988	Cmiflbel.exe
4168	Ceqnmpfo.exe
2132	Chokikeb.exe
4844	Cfbkeh32.exe
2492	Cnicfe32.exe
3580	Ceckcp32.exe
1232	Chagok32.exe
1720	Cfdhkhjj.exe
2712	Cnkplejl.exe
3312	Cajlhqjp.exe
3308	Cdhhdlid.exe
4600	Cffdpghg.exe
4496	Cegdnopg.exe
4052	Dfiafg32.exe
2388	Dopigd32.exe
2436	Dejacond.exe
3116	Dhhnpjmh.exe
1152	Djgjlelk.exe
1472	Dmefhako.exe
1248	Dhkjej32.exe
4300	Dkifae32.exe
4908	Dmgbnq32.exe
824	Daconoae.exe
640	Dhmgki32.exe
4152	Dkkcge32.exe

Drops file in System32 directory 64 IoCs

Processes:

Chagok32.exeDfiafg32.exeDeagdn32.exeCdhhdlid.exeDmefhako.exeQcgffqei.exeAqncedbp.exeAgoabn32.exeCnicfe32.exeAmpkof32.exeBeeoaapl.exeBmemac32.exeDaconoae.exeDhmgki32.exeDknpmdfc.exeAqppkd32.exeAepefb32.exeBapiabak.exeCmgjgcgo.exeDhhnpjmh.exeQgqeappe.exeBnpppgdj.exeCenahpha.exeChokikeb.exeCnkplejl.exeDmjocp32.exeAcnlgp32.exeAeniabfd.exeBfkedibe.exeBmkjkd32.exeBnmcjg32.exeDhocqigp.exeBanllbdn.exeChjaol32.exeCjkjpgfi.exeBjokdipf.exeCfdhkhjj.exeCajlhqjp.exeDkifae32.exeCeckcp32.exeDjgjlelk.exeDmgbnq32.exeBebblb32.exeCmiflbel.exeCegdnopg.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bnmcjg32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2060	856	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bmkjkd32.exeCjkjpgfi.exeChokikeb.exeChjaol32.exeCeqnmpfo.exeCnnlaehj.exeDopigd32.exeDhocqigp.exeQmmnjfnl.exeAqncedbp.exeBnmcjg32.exeCmiflbel.exeCeckcp32.exeQgqeappe.exeAgoabn32.exeBapiabak.exeCmgjgcgo.exeBmemac32.exeCnicfe32.exeCnkplejl.exeDjgjlelk.exeAjckij32.exeCenahpha.exeDhhnpjmh.exeDkifae32.exeDmllipeg.exeAnadoi32.exeBffkij32.exeCfbkeh32.exeDaconoae.exeBfdodjhm.exeBnpppgdj.exeCfdhkhjj.exeDmgbnq32.exeBjokdipf.exeBfhhoi32.exeBfkedibe.exeDfiafg32.exeAcjclpcf.exeBeeoaapl.exeDhmgki32.exeDeagdn32.exeCajlhqjp.exeCegdnopg.exe5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exeQcgffqei.exeAmpkof32.exeBebblb32.exeChmndlge.exeAeniabfd.exeAepefb32.exeCdhhdlid.exeDhkjej32.exeDkkcge32.exeAfoeiklb.exeCffdpghg.exeDknpmdfc.exeCjinkg32.exeDmefhako.exeDmjocp32.exeQffbbldm.exeAqppkd32.exeAcnlgp32.exeAndqdh32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe

Modifies registry class 64 IoCs

Processes:

Anfmjhmd.exeAgoabn32.exeBmkjkd32.exeQmmnjfnl.exeAmpkof32.exeBjmnoi32.exeChokikeb.exeCnicfe32.exeAqncedbp.exeBebblb32.exeAqppkd32.exeAfmhck32.exeBjokdipf.exeBmemac32.exeChjaol32.exeDmgbnq32.exeAnadoi32.exeCmiflbel.exeDmefhako.exeBnpppgdj.exeDkifae32.exeAepefb32.exeBfhhoi32.exeDhkjej32.exe5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exeDhmgki32.exeQgqeappe.exeChmndlge.exeCeckcp32.exeDfiafg32.exeDkkcge32.exeDmjocp32.exeAgglboim.exeChagok32.exeCajlhqjp.exeQffbbldm.exeBfkedibe.exeCjinkg32.exeCffdpghg.exeCegdnopg.exeDejacond.exeAcjclpcf.exeDjgjlelk.exeQcgffqei.exeAfoeiklb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exeQgqeappe.exeQmmnjfnl.exeQcgffqei.exeQffbbldm.exeAmpkof32.exeAcjclpcf.exeAjckij32.exeAqncedbp.exeAgglboim.exeAnadoi32.exeAqppkd32.exeAcnlgp32.exeAfmhck32.exeAndqdh32.exeAeniabfd.exeAfoeiklb.exeAnfmjhmd.exeAepefb32.exeAgoabn32.exeBjmnoi32.exeBmkjkd32.exe

description	pid	Process	procid_target
PID 4156 wrote to memory of 3188	4156	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe	83
PID 4156 wrote to memory of 3188	4156	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe	83
PID 4156 wrote to memory of 3188	4156	5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe	83
PID 3188 wrote to memory of 4056	3188	Qgqeappe.exe	84
PID 3188 wrote to memory of 4056	3188	Qgqeappe.exe	84
PID 3188 wrote to memory of 4056	3188	Qgqeappe.exe	84
PID 4056 wrote to memory of 4244	4056	Qmmnjfnl.exe	85
PID 4056 wrote to memory of 4244	4056	Qmmnjfnl.exe	85
PID 4056 wrote to memory of 4244	4056	Qmmnjfnl.exe	85
PID 4244 wrote to memory of 4020	4244	Qcgffqei.exe	86
PID 4244 wrote to memory of 4020	4244	Qcgffqei.exe	86
PID 4244 wrote to memory of 4020	4244	Qcgffqei.exe	86
PID 4020 wrote to memory of 2560	4020	Qffbbldm.exe	88
PID 4020 wrote to memory of 2560	4020	Qffbbldm.exe	88
PID 4020 wrote to memory of 2560	4020	Qffbbldm.exe	88
PID 2560 wrote to memory of 4708	2560	Ampkof32.exe	89
PID 2560 wrote to memory of 4708	2560	Ampkof32.exe	89
PID 2560 wrote to memory of 4708	2560	Ampkof32.exe	89
PID 4708 wrote to memory of 1688	4708	Acjclpcf.exe	90
PID 4708 wrote to memory of 1688	4708	Acjclpcf.exe	90
PID 4708 wrote to memory of 1688	4708	Acjclpcf.exe	90
PID 1688 wrote to memory of 1064	1688	Ajckij32.exe	92
PID 1688 wrote to memory of 1064	1688	Ajckij32.exe	92
PID 1688 wrote to memory of 1064	1688	Ajckij32.exe	92
PID 1064 wrote to memory of 3056	1064	Aqncedbp.exe	93
PID 1064 wrote to memory of 3056	1064	Aqncedbp.exe	93
PID 1064 wrote to memory of 3056	1064	Aqncedbp.exe	93
PID 3056 wrote to memory of 3728	3056	Agglboim.exe	94
PID 3056 wrote to memory of 3728	3056	Agglboim.exe	94
PID 3056 wrote to memory of 3728	3056	Agglboim.exe	94
PID 3728 wrote to memory of 692	3728	Anadoi32.exe	95
PID 3728 wrote to memory of 692	3728	Anadoi32.exe	95
PID 3728 wrote to memory of 692	3728	Anadoi32.exe	95
PID 692 wrote to memory of 4872	692	Aqppkd32.exe	97
PID 692 wrote to memory of 4872	692	Aqppkd32.exe	97
PID 692 wrote to memory of 4872	692	Aqppkd32.exe	97
PID 4872 wrote to memory of 3568	4872	Acnlgp32.exe	98
PID 4872 wrote to memory of 3568	4872	Acnlgp32.exe	98
PID 4872 wrote to memory of 3568	4872	Acnlgp32.exe	98
PID 3568 wrote to memory of 552	3568	Afmhck32.exe	99
PID 3568 wrote to memory of 552	3568	Afmhck32.exe	99
PID 3568 wrote to memory of 552	3568	Afmhck32.exe	99
PID 552 wrote to memory of 2228	552	Andqdh32.exe	100
PID 552 wrote to memory of 2228	552	Andqdh32.exe	100
PID 552 wrote to memory of 2228	552	Andqdh32.exe	100
PID 2228 wrote to memory of 2664	2228	Aeniabfd.exe	101
PID 2228 wrote to memory of 2664	2228	Aeniabfd.exe	101
PID 2228 wrote to memory of 2664	2228	Aeniabfd.exe	101
PID 2664 wrote to memory of 828	2664	Afoeiklb.exe	102
PID 2664 wrote to memory of 828	2664	Afoeiklb.exe	102
PID 2664 wrote to memory of 828	2664	Afoeiklb.exe	102
PID 828 wrote to memory of 392	828	Anfmjhmd.exe	103
PID 828 wrote to memory of 392	828	Anfmjhmd.exe	103
PID 828 wrote to memory of 392	828	Anfmjhmd.exe	103
PID 392 wrote to memory of 2488	392	Aepefb32.exe	104
PID 392 wrote to memory of 2488	392	Aepefb32.exe	104
PID 392 wrote to memory of 2488	392	Aepefb32.exe	104
PID 2488 wrote to memory of 4292	2488	Agoabn32.exe	105
PID 2488 wrote to memory of 4292	2488	Agoabn32.exe	105
PID 2488 wrote to memory of 4292	2488	Agoabn32.exe	105
PID 4292 wrote to memory of 3588	4292	Bjmnoi32.exe	106
PID 4292 wrote to memory of 3588	4292	Bjmnoi32.exe	106
PID 4292 wrote to memory of 3588	4292	Bjmnoi32.exe	106
PID 3588 wrote to memory of 3708	3588	Bmkjkd32.exe	107

C:\Users\Admin\AppData\Local\Temp\5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe
"C:\Users\Admin\AppData\Local\Temp\5cc8f3bb4bcbd79cd9763878648df273d1957228a72bda725653b3db3346a8a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\Qgqeappe.exe
  C:\Windows\system32\Qgqeappe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 396
        72⤵
        Program crash
        
        PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 856
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
d4f260c499ee7f8837f3e12f60f41490

SHA1
dd4313cf6bfcc7f670f628bb71f4589f451639cb

SHA256
55d8a4d5de7a4f7d09164f5b3e6b3d3c8c5c1a0c53835e62dbef52333e5b6636

SHA512
9438c9eb1bb7d57bd8cc3b6496937bf46c6e5f04d8403c04e38a36ba4f36bc827dd97dd849090379c4e0dc2c50c94e02c7cb448f891c9e40a0eabc162e4f732e

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
8ac385a1c03e92687f30c36ef3cbafc0

SHA1
5709604c7a7f36a0a88734e90a89599b156538b6

SHA256
a9752ef879ac0bac412856efe3eb16e2ed9185cd9ad635b154db519dcd1dedb4

SHA512
0315b99d8f2cee73d2f669bc009ddf2461189dea35becd979cd0c91290c6649656bc07d226ce1d2577388fe31d1491cde38144f0e1b8a01fad014ad26f70d7c2

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
3d28c2f008ab44c281b3f41a9ed0c257

SHA1
e6b4b30201b0d0480e4ea27227ebf89c1056d82b

SHA256
52376e3c1b0bd1079056b62b2e1705d9d68aa8ef5dfd702330971372e9531381

SHA512
b70b79fd2bda128dfa172ff629dadac25671a149b2197d699f2ac1deb360363ddfbf06fc51853e3f370842170f5f589dd7ac182a478b44566f7157f322bf4543

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
75e406b7eb23d638ae33ba05fd977b4d

SHA1
a0703c863321baf3bc91130a4a2573a7aa2963b5

SHA256
de841dde71c21f6730ed99a3e7e5eb2f2e67e1588b54decc087eb39fc3051c95

SHA512
e1b7bcceae436d78072810413b9e9a2b692eb9a631400e9267b97f9ba952b0cf1a55e70197c8312dca0b8dfd15cc1990b2c681180b352084b5cac3fd0f2fade8

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
722bf8b4ed2ff4d0d0db0de007625295

SHA1
ee91731e8d044c9d8e37388f3bff9a6778b635a4

SHA256
474f2cb9ce372843569e9cb2e7cf4dd153bc34e0e9d38c94591ef9a4012fa7b2

SHA512
fa48470c56bf1667a0b0310759ff6ca8498ecb1deafd020ed7d93e44ef16b8d4634db20d5b642e74763e82635b17a0afcb6bfbd8c2ef3ba04af088146a5d814b

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
9606233434113bb1b333ad09f15d1fc0

SHA1
0b98f5462f3b4ca9260707e275a55d4b7d21cabf

SHA256
acf53464e254fb1e110b5d12e9cca1decf444d53ff10d7b72d4fe2e78c7c641b

SHA512
cbdef30acb5c7e5ccec5b4992d2242bf03f4b420f15db7eb24d9daccf9ebddbacfbb3d6827dad2a3b6e965daee16eae2431fa9bdbd97efa92b6113f2672655f6

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
ab749556eefa27b542f59efad6e46ecf

SHA1
b4afdd735cb466e88306b36e941d11c1e6d1a148

SHA256
d81b0332862623451e11a02712da24eb5878ba1b32fcb5c5c69e32199206c25d

SHA512
5519d2b366a8529f658d497d2c0aa53fb5a9c1fa6f4e19dabdd29d319224e4780d92ee9bcd8e55e6b8c2ca3249a8fa54f0ff4fbb5e1a5aac51bc7c9ea3d3ff13

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
459a6afb96194a99bd1cc89f2674c58c

SHA1
86c94d89b4243e263ba638d5250b7cd62816fe4f

SHA256
31f030c68ca98a96dcb19b07667b4db310b7288812c65c39f342e4918da478ac

SHA512
50991679cd5e79acdf5267afe328e91c14b2ef46a8687e90d9312501b6ecfc9344f3334cf0fff98c6934437e117f6223e22e9ed06d1f3519d46efd4884f0351c

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
33c7c93302f0359ade9ccb09dccc6002

SHA1
4be680570b41496b48714a137226d31c501447ca

SHA256
a761ce345f8eb5ddb2ed4cb6db5019e4bc90ea7c6f1e8cf2188bade1fd12fc01

SHA512
0cabd3769c3fa28e7b9b7875acdd7e32e8fb749db2a644d578a2abf0f6736c042fae61adf880706153bce09ed527bedc6fa128d7ab6690018b24afa62ebe87cd

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
93344a8f4ec9037d232389cd3d0eff51

SHA1
4a872ec60e87e8df3073c27462e398e96cb14a37

SHA256
23e9462f08f51a0a367302e25ae62a6a72be0b0ca6c25fbce19b24f3ff38c20c

SHA512
805d338c7abbf912a2e4cc65f4ba6cdeee9f704699cdaf46a5603e1dd0161e77c4cd1bb694280334cad16292d76e123d073dbcf67fdd042e1161775321763fc0

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
5bff4a22623613bdbf269255cce00dff

SHA1
91b6300806d4e6e3c6087ff706b1555aad4bb3d5

SHA256
2aeb58af1e06443d361507fe9b3d6aab89f97f1d3ef0ae966881a03d1c39b9cd

SHA512
0e48d93c797f059949cf0e3767118a52939e4bcd3a215f37537a05a223e7a727aaf1a271b45a1f0cda3a361c670e56940b56360917ab89ec99e3f834e4a11afb

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
96KB

MD5
73940195ff88f96e14c9d12f0108a4a6

SHA1
46925cb709ed5d203ba16b17cfe0ce771052617a

SHA256
1f83c67515d9894f8612da48f36a2699335a8e8a8cab2f4e74065aeca7e677cc

SHA512
f0b2dbfc15a2bb6e0425a6388fff9afad7ec5c976c045be19c8169953a6b2651770f2657cef7c72e03d48de68e2d072935f67b99729e8b86fe15f3edf57ba230

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
26ad7116243b6e30da0a39c3cecf0a14

SHA1
5f776e88b59fe466b9143ff3aa49a97784d002c2

SHA256
3af8758d1f3a9ee2464bf699ed8b9519459fb85454e2dd1ad1ddcc06a54df832

SHA512
b010b25d042ee77fca4f81ce73908b008f17ce18d960c47aab34f87224df6225e1a800f566a64ffe3af72ff9482ecaee1c26587ba5f45feb1e4195fd37b78884

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
cac95a2d2d04779bd98b510114d4ddfd

SHA1
f25ee125eb88af2053d842660d7345eb3eb2b995

SHA256
32efd0fd87b4454f64c061bc0b1eb2862aaa3fcd880fce234e86442e2c305f76

SHA512
9445e09e6e0f9627bcade49c66bef7530f9ef23a26a1362c8281ef9d1e92d8ad56d5c5ce69195ceb1f1a6221b8a79dc91430d7e637eafe8a8056756e7cfd9aca

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
9ce6d91a94d86713da06c69d6992a63e

SHA1
22c95e5af62d69593bba6d9d0c21755f5e1ae5be

SHA256
bfe238f352b10abccc64b9f48abcafa679e187376c7f52f9cc76bde5e3bec671

SHA512
d1cb99c340ac2d90b8167d0e684531f42728c203d990119d2bb50fa474e5165c5b34cf5efb88ccc584a9121b50cc2f5511469bee3185b20a3ee7d7dff20b587a

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
836e64a7b8e21da2b5d4c1f3e37a00ff

SHA1
8f06c6584004af97dfcc8e0f0fd75adcb726acf9

SHA256
8af9cf4d7a8586f952c3c40597a291c008a5b05fe3d84a0dcdaa1c7eaa4d27b7

SHA512
c46d8818413bcd534a2a763e7c302b908b5c3ce97b01be6223f7193019dc6a7450057cedaf408821b10f735431b82ea3c2a3bdd9f790c97115d42be333ce327f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
11b1fb2f14d49f0e0c279a9be105a719

SHA1
e4c107c5d7d1624844fa0c141a6e99dbd41b681b

SHA256
b4f531ee5bc23b6def87cbee15ab990a54508cf65cef0ae579bbe8a202002b0f

SHA512
5501ccb5298ff6042e32d877f9de4d25ae38ef3605ff02e0e80f82e1ace6080859118395a2277cd13128e5db8d65c550af1ab740039854e894d23b11f114af4a

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
547d7c0efcc70a36657846fedd718061

SHA1
b09bb0f2a05ef6931333175c2310e5826459cd36

SHA256
d218899259edc586cb1ae9a03d394435adb9b612660559587b23bc37a15586bc

SHA512
8c417ff6ae5bb230f534aae37d19810778a84e14c207f44c53d9441a3730852515cf90258feaecf029658f4a252187f6e13ac2232ad03a55f378f93ca8c5d962

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
8e3da31ba9dd8bccc5ebc319c54aa52e

SHA1
fb4b6bb9a124bf9e34a31b0174d4139045c6a7f8

SHA256
517cd940cf605a9265dcd24dc190bce5e96b289db891bab33a049666f729f99f

SHA512
ed27a1025fe9961a3eb96547b269f94cc4115e12409c8f4bcf545badeae0e55edeb5ad7820ab0c3fcd8278ee5d9f53bb6a8652ebe920a850280bbc257c8e9f78

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
0e2001117287f00986632adf4ffa3efe

SHA1
903b10a2973c2122cfa7cfdb55c72eb0fbb26a3e

SHA256
be51ef2ea8af14a992e91cd80f454bc9312b4af1fe8425e29481afb6f4e5a800

SHA512
30eb21060d7d4c90b3a2b733f88e6f31907d3d705aafacd683031f7f1d93ff6f77e557d334eddc25d293483a66bfe21b20e8b609e8052fb3bc8f34847f9ae1e7

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
27b1335f695861f05797c1285d9481ed

SHA1
c4d0da9b98c3c0cbd60688d887a7b0cc17f5bead

SHA256
9e427b2bdcaca45088ccd0ea8af9e58d9ee450cae24a32de05077f7657c80c1c

SHA512
078fee9d7771c13f6bc85d92a038e7bef9727d6e4e211111792aa08c37e3970039bece2264f2aff6cadfde329b52cfb12a33a88d4804bafbc745009e9e815dbb

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
5ba7ad6f3a4e878749a0f70639de8dcc

SHA1
fc9e3ba88e0e7b9079ea27d99b9a82302b993b64

SHA256
da6bfac2193f986894e04126152fb78c03573970e021cf8a7a114fb5cbf9eea0

SHA512
9897506a252b80d1826c3957e30f211d31a92149e41c31bf02b524b058b2c758377d097cb48f5e9da8f6d6fdeb5b50c91c5ea655590d39dab1cdd2c006399d7a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
75acf40df738d8e582f24e899fabbf9b

SHA1
46df26e9b15762dad4a4a836bb81b24fa9fa7531

SHA256
7caaeb45a11600da1c8a75877c98c8b042945ac3de9d84625a4a5e8625baceb2

SHA512
67d41b02d3d9850e68e8145d817e0cf765ccb20b49e32639f670972d9bb3d96a164aefee91af4eb20b75e4136c0c9496e58b98bcb7511e5623b464868fe773b0

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
eda7030ad673051a18abbe6a8ba0d612

SHA1
6663661d1429dc3c5006894294e1ba804c260c9b

SHA256
9c5df1e02e5aedeb8a2b889b6da0be7bc14233f1e510b8ec76e05a15f546a74c

SHA512
9894405e44ad15723228bbcbdf30161e847117d7b7ee499f395fe13c226d0a79cdffa2e622a4307fb9b1284907abd64f824d4028685e86011ec541639b2a6745

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
171f0417dd63529eb1d9aaf47ee9718e

SHA1
f98ab22a56b6c8123443b4ed0c99003992b0ca90

SHA256
3d2567984434a1230c756c647db240ed907c9b655444f09673321a9f11da0021

SHA512
93a124613c55639b9258d391fa44078fe02ca32a4b5e92fed12a27a5e926c59de5a17e2177637a1c3cadce46d7830fb2a0495ff5022562202fbda9a0946abe02

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
d0c9d1191035b18a2b097dab5335680e

SHA1
f154b93c48ae9e3b77446fea8bf61ded53a9baf7

SHA256
0269c8b227e4ddb1322bc314a929626a0a9232745accdde9213de96d60e57a7b

SHA512
0252ea5ec134c90f80c04cc2006b1b2fdf36282252688a11c72d7ad1488c9536648e82cbb3fc4f04bd2fe2fc3712ad29c53467bbd8da257a92068235207f3acb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
8b36d20c9a8b70be9d022b988272b151

SHA1
48b764803909d8481bcc2ff6cfb9fe8d8b2371c9

SHA256
09e066408c1097d20309694695c5ebb3750070024bc532b625796a16954cf81d

SHA512
86a53cfdad25f962aebf89fa8f998f1f2333311e6fb6891a5406ff9ef036a1660c942524275d86e31493e0f2a975a282a496c5183e44420f54a10f46a48dd342

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
af8ea88e214815bee5c7440084c7c5aa

SHA1
51f5931b31b5864c851cf2712523855ebe04f46d

SHA256
2dc44831316622b270847506371ba6e88be244f0e63fc39b5c4699318b068cb4

SHA512
797f9422fb5b136de81070c7b36504e581ebabc7a28784df1e7374b191630ae9e8db899d336a3895acb625a050fa5b9ec052801a9b0e7b4734da1015d0fa9e68

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
531581effb92244ca982812032461ed5

SHA1
64717c566c443ca8e52534605241ffb789866afc

SHA256
d37317e39b619197bab1181e4bd28f7fd0423bf1bf504d76aa3e16f17dbcde27

SHA512
fe8ca0a31685e1525fa43a800af43e771cbc1852f15974b4be9292bc65cc152e975debb3c14b8cd8d41df866d17b7b274060a4c4f07f77efd9bd6807cf335330

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
8c2aa0f0a68949c10501d14ef628f9a5

SHA1
a62641e220bf75285c2c7178179135256021f771

SHA256
3eccaf2f64815caa850f7a25ece88894dc241c91e278556f09229ae46cece785

SHA512
309240f94276af402d8c5a9ba6012af67eb4f54b46d99e8d51912630e06096adfd8d026c47954e2eb37993aded3a4ff77be2ca56941d8521f7709863aec15cfb

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
27ced998f181d3c4daa187fb76d0a809

SHA1
33a4e197ca602abbb62c84049d44235f920e854f

SHA256
92113d3ca4906473b4da57501fd473f1bd3886dec8a0e11cafbe99dbb4628481

SHA512
9a03de9b1ab196b017abfd9e35400b81ff6fe7804f04464c4809d615c8611aeb7309c6b703d152ed4b8f434a62e7c04acd9013daffd9f12496b633e9f37ed189

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
032f90742535ac18ab9be12eefaa5478

SHA1
e04b298a25397b3315ab0fb9cff07b2158040c39

SHA256
da4caf4e72fc9b133ff5c0b796b383e8d426d293875ddaf075a492f1df13402c

SHA512
7d5387ca3c0416c46b17d42d7b21054c0547398ef4a0a8cd222b8672bc011ea666803fc96914940e8e202405f0cdf0806f7228261e08ba08cf0dad85deb85a42

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
3c474f257081b3c5f334c298eb142005

SHA1
da32ece8b21976401cd08c58f4f7c5eb3f9bf8fd

SHA256
c63fdcaf3abaa33a8ef3b52fc0191a3daf81c214496a1fb549603cea365c4d86

SHA512
a5f2f4437fdfa90a0a2d3c98c03e57129c47c9c5c12f3c278e20197625d3d3bdd0c17b298d97a5137c8ad072151364851cf69816c53c96a2e175894f3a102e2e

Download Submit
memory/320-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4156-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download