berbew | 764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe
Size

93KB
MD5

b5f8506b5c7b50bcdcfd62e2d2a08e5b
SHA1

697439fc7da71e6e7b627ca809c68140e129d735
SHA256

764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786
SHA512

484cb82e411f67cce705fc751c356a3df718309cb4f27b542dc54e834e3e58df5f3e52d0c6748ff90db4d31176dcaa6ff2ce8198ccdbac89762e530ff6bca3e6
SSDEEP

1536:4WmwzEBGOrV3AR3OX9w+saH9BuOlz1DaYfMZRWuLsV+1z:4WmKfOZwR3ONw+saHKONgYfc0DV+1z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Agglboim.exeAadifclh.exeBjfaeh32.exeBelebq32.exeCdhhdlid.exeDeagdn32.exeQddfkd32.exeAndqdh32.exeBjagjhnc.exeBaicac32.exeBanllbdn.exePjjhbl32.exeAcnlgp32.exeAcqimo32.exeCffdpghg.exeCmqmma32.exePqdqof32.exeQmkadgpo.exeQgcbgo32.exeAmgapeea.exeBfdodjhm.exeBalpgb32.exeBhhdil32.exeBnbmefbg.exeCnffqf32.exeDkifae32.exeQnjnnj32.exeCfmajipb.exeCmnpgb32.exePcbmka32.exeAnmjcieo.exeBnpppgdj.exeChmndlge.exeCfbkeh32.exeDfnjafap.exePnfdcjkg.exeAgeolo32.exeAfmhck32.exeChagok32.exeDoilmc32.exeAdgbpc32.exeBfabnjjp.exeCaebma32.exePcppfaka.exeAclpap32.exeBnkgeg32.exeCnicfe32.exeDmcibama.exePjmehkqk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Pcppfaka.exePjjhbl32.exePnfdcjkg.exePqdqof32.exePcbmka32.exePjmehkqk.exeQmkadgpo.exeQceiaa32.exeQnjnnj32.exeQqijje32.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAdgbpc32.exeAgeolo32.exeAjckij32.exeAmbgef32.exeAclpap32.exeAgglboim.exeAmddjegd.exeAeklkchg.exeAcnlgp32.exeAfmhck32.exeAndqdh32.exeAmgapeea.exeAcqimo32.exeAjkaii32.exeAadifclh.exeAccfbokl.exeAgoabn32.exeBfabnjjp.exeBmkjkd32.exeBganhm32.exeBfdodjhm.exeBnkgeg32.exeBaicac32.exeBchomn32.exeBjagjhnc.exeBnmcjg32.exeBalpgb32.exeBgehcmmm.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBjfaeh32.exeBnbmefbg.exeBelebq32.exeCfmajipb.exeCjinkg32.exeCabfga32.exeChmndlge.exeCnffqf32.exeCaebma32.exeChokikeb.exeCfbkeh32.exeCnicfe32.exeChagok32.exeCnkplejl.exeCmnpgb32.exeCdhhdlid.exeCffdpghg.exeCmqmma32.exeDmcibama.exeDejacond.exe

pid	process
2352	Pcppfaka.exe
1116	Pjjhbl32.exe
740	Pnfdcjkg.exe
4300	Pqdqof32.exe
5056	Pcbmka32.exe
2688	Pjmehkqk.exe
3444	Qmkadgpo.exe
4224	Qceiaa32.exe
2260	Qnjnnj32.exe
1600	Qqijje32.exe
1076	Qddfkd32.exe
2852	Qgcbgo32.exe
1972	Anmjcieo.exe
3992	Adgbpc32.exe
5024	Ageolo32.exe
404	Ajckij32.exe
3220	Ambgef32.exe
3252	Aclpap32.exe
1728	Agglboim.exe
4948	Amddjegd.exe
3480	Aeklkchg.exe
4720	Acnlgp32.exe
1540	Afmhck32.exe
1740	Andqdh32.exe
2868	Amgapeea.exe
2172	Acqimo32.exe
2640	Ajkaii32.exe
2364	Aadifclh.exe
4528	Accfbokl.exe
4372	Agoabn32.exe
2344	Bfabnjjp.exe
2948	Bmkjkd32.exe
4980	Bganhm32.exe
4256	Bfdodjhm.exe
808	Bnkgeg32.exe
3380	Baicac32.exe
1068	Bchomn32.exe
1844	Bjagjhnc.exe
2320	Bnmcjg32.exe
2960	Balpgb32.exe
4480	Bgehcmmm.exe
1456	Bnpppgdj.exe
3076	Banllbdn.exe
4944	Bhhdil32.exe
4872	Bjfaeh32.exe
1512	Bnbmefbg.exe
2784	Belebq32.exe
3340	Cfmajipb.exe
3044	Cjinkg32.exe
208	Cabfga32.exe
548	Chmndlge.exe
3056	Cnffqf32.exe
4744	Caebma32.exe
2708	Chokikeb.exe
1468	Cfbkeh32.exe
2060	Cnicfe32.exe
1260	Chagok32.exe
1232	Cnkplejl.exe
4928	Cmnpgb32.exe
3584	Cdhhdlid.exe
3548	Cffdpghg.exe
4292	Cmqmma32.exe
4932	Dmcibama.exe
1940	Dejacond.exe

Drops file in System32 directory 64 IoCs

Processes:

Cjinkg32.exeAcqimo32.exeAjkaii32.exePnfdcjkg.exeChagok32.exeAnmjcieo.exeCnffqf32.exeDeagdn32.exeCfbkeh32.exeDfnjafap.exeBganhm32.exeQqijje32.exeDoilmc32.exeAclpap32.exeCdhhdlid.exeBalpgb32.exeCabfga32.exeDhmgki32.exeAmgapeea.exeBmkjkd32.exeBfdodjhm.exeDjgjlelk.exeAadifclh.exeQddfkd32.exeChokikeb.exeBjfaeh32.exePqdqof32.exeQmkadgpo.exeAmddjegd.exeBaicac32.exeQnjnnj32.exeAgglboim.exeCffdpghg.exeDejacond.exeDogogcpo.exeBgehcmmm.exeCnicfe32.exeAfmhck32.exePcppfaka.exeDkifae32.exeAccfbokl.exeAndqdh32.exeBnmcjg32.exeBjagjhnc.exeBelebq32.exePjjhbl32.exeAgeolo32.exeDaqbip32.exeBchomn32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4896 2496 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
4896	2496	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Chmndlge.exeDhocqigp.exeAmbgef32.exeAjkaii32.exeAmddjegd.exeCjinkg32.exePcbmka32.exeQmkadgpo.exeBfabnjjp.exeBalpgb32.exeCnffqf32.exeDogogcpo.exePnfdcjkg.exeAdgbpc32.exeDmcibama.exeAcqimo32.exeBfdodjhm.exeBjagjhnc.exeBnpppgdj.exeChokikeb.exeDejacond.exeDdakjkqi.exeQnjnnj32.exeAcnlgp32.exeBnmcjg32.exeDkifae32.exeAadifclh.exeBaicac32.exeAmgapeea.exeBganhm32.exeBnkgeg32.exeCnkplejl.exeQgcbgo32.exeAgglboim.exeBjfaeh32.exeBnbmefbg.exeCfbkeh32.exeDmllipeg.exeBgehcmmm.exeBhhdil32.exeDfnjafap.exeCnicfe32.exeCmnpgb32.exeBmkjkd32.exeBelebq32.exeChagok32.exeDaqbip32.exeDhmgki32.exePjmehkqk.exeAeklkchg.exeAndqdh32.exeBanllbdn.exeCdhhdlid.exePqdqof32.exeAnmjcieo.exeAgeolo32.exeCffdpghg.exeCmqmma32.exeDeagdn32.exeQqijje32.exeAjckij32.exeAclpap32.exeAccfbokl.exeCfmajipb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe

Modifies registry class 64 IoCs

Processes:

Bnkgeg32.exeBjagjhnc.exeBnbmefbg.exeCmqmma32.exeAdgbpc32.exeAcnlgp32.exeAgoabn32.exeCffdpghg.exeDjgjlelk.exePjjhbl32.exePjmehkqk.exeBmkjkd32.exeAnmjcieo.exeAgglboim.exeAjkaii32.exeBhhdil32.exeBelebq32.exeAgeolo32.exeAclpap32.exeAmbgef32.exeDoilmc32.exeQqijje32.exeCnkplejl.exeDdakjkqi.exeBnmcjg32.exeBnpppgdj.exeCfmajipb.exeChagok32.exeBjfaeh32.exeDfnjafap.exeQmkadgpo.exeAccfbokl.exeCfbkeh32.exeCdhhdlid.exe764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exePqdqof32.exeCaebma32.exeDmcibama.exeCnicfe32.exeAadifclh.exeChokikeb.exeBfdodjhm.exeAndqdh32.exeBchomn32.exeDkifae32.exeDhmgki32.exePnfdcjkg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exePcppfaka.exePjjhbl32.exePnfdcjkg.exePqdqof32.exePcbmka32.exePjmehkqk.exeQmkadgpo.exeQceiaa32.exeQnjnnj32.exeQqijje32.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAdgbpc32.exeAgeolo32.exeAjckij32.exeAmbgef32.exeAclpap32.exeAgglboim.exeAmddjegd.exeAeklkchg.exe

description	pid	process	target process
PID 1772 wrote to memory of 2352	1772	764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe	Pcppfaka.exe
PID 1772 wrote to memory of 2352	1772	764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe	Pcppfaka.exe
PID 1772 wrote to memory of 2352	1772	764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe	Pcppfaka.exe
PID 2352 wrote to memory of 1116	2352	Pcppfaka.exe	Pjjhbl32.exe
PID 2352 wrote to memory of 1116	2352	Pcppfaka.exe	Pjjhbl32.exe
PID 2352 wrote to memory of 1116	2352	Pcppfaka.exe	Pjjhbl32.exe
PID 1116 wrote to memory of 740	1116	Pjjhbl32.exe	Pnfdcjkg.exe
PID 1116 wrote to memory of 740	1116	Pjjhbl32.exe	Pnfdcjkg.exe
PID 1116 wrote to memory of 740	1116	Pjjhbl32.exe	Pnfdcjkg.exe
PID 740 wrote to memory of 4300	740	Pnfdcjkg.exe	Pqdqof32.exe
PID 740 wrote to memory of 4300	740	Pnfdcjkg.exe	Pqdqof32.exe
PID 740 wrote to memory of 4300	740	Pnfdcjkg.exe	Pqdqof32.exe
PID 4300 wrote to memory of 5056	4300	Pqdqof32.exe	Pcbmka32.exe
PID 4300 wrote to memory of 5056	4300	Pqdqof32.exe	Pcbmka32.exe
PID 4300 wrote to memory of 5056	4300	Pqdqof32.exe	Pcbmka32.exe
PID 5056 wrote to memory of 2688	5056	Pcbmka32.exe	Pjmehkqk.exe
PID 5056 wrote to memory of 2688	5056	Pcbmka32.exe	Pjmehkqk.exe
PID 5056 wrote to memory of 2688	5056	Pcbmka32.exe	Pjmehkqk.exe
PID 2688 wrote to memory of 3444	2688	Pjmehkqk.exe	Qmkadgpo.exe
PID 2688 wrote to memory of 3444	2688	Pjmehkqk.exe	Qmkadgpo.exe
PID 2688 wrote to memory of 3444	2688	Pjmehkqk.exe	Qmkadgpo.exe
PID 3444 wrote to memory of 4224	3444	Qmkadgpo.exe	Qceiaa32.exe
PID 3444 wrote to memory of 4224	3444	Qmkadgpo.exe	Qceiaa32.exe
PID 3444 wrote to memory of 4224	3444	Qmkadgpo.exe	Qceiaa32.exe
PID 4224 wrote to memory of 2260	4224	Qceiaa32.exe	Qnjnnj32.exe
PID 4224 wrote to memory of 2260	4224	Qceiaa32.exe	Qnjnnj32.exe
PID 4224 wrote to memory of 2260	4224	Qceiaa32.exe	Qnjnnj32.exe
PID 2260 wrote to memory of 1600	2260	Qnjnnj32.exe	Qqijje32.exe
PID 2260 wrote to memory of 1600	2260	Qnjnnj32.exe	Qqijje32.exe
PID 2260 wrote to memory of 1600	2260	Qnjnnj32.exe	Qqijje32.exe
PID 1600 wrote to memory of 1076	1600	Qqijje32.exe	Qddfkd32.exe
PID 1600 wrote to memory of 1076	1600	Qqijje32.exe	Qddfkd32.exe
PID 1600 wrote to memory of 1076	1600	Qqijje32.exe	Qddfkd32.exe
PID 1076 wrote to memory of 2852	1076	Qddfkd32.exe	Qgcbgo32.exe
PID 1076 wrote to memory of 2852	1076	Qddfkd32.exe	Qgcbgo32.exe
PID 1076 wrote to memory of 2852	1076	Qddfkd32.exe	Qgcbgo32.exe
PID 2852 wrote to memory of 1972	2852	Qgcbgo32.exe	Anmjcieo.exe
PID 2852 wrote to memory of 1972	2852	Qgcbgo32.exe	Anmjcieo.exe
PID 2852 wrote to memory of 1972	2852	Qgcbgo32.exe	Anmjcieo.exe
PID 1972 wrote to memory of 3992	1972	Anmjcieo.exe	Adgbpc32.exe
PID 1972 wrote to memory of 3992	1972	Anmjcieo.exe	Adgbpc32.exe
PID 1972 wrote to memory of 3992	1972	Anmjcieo.exe	Adgbpc32.exe
PID 3992 wrote to memory of 5024	3992	Adgbpc32.exe	Ageolo32.exe
PID 3992 wrote to memory of 5024	3992	Adgbpc32.exe	Ageolo32.exe
PID 3992 wrote to memory of 5024	3992	Adgbpc32.exe	Ageolo32.exe
PID 5024 wrote to memory of 404	5024	Ageolo32.exe	Ajckij32.exe
PID 5024 wrote to memory of 404	5024	Ageolo32.exe	Ajckij32.exe
PID 5024 wrote to memory of 404	5024	Ageolo32.exe	Ajckij32.exe
PID 404 wrote to memory of 3220	404	Ajckij32.exe	Ambgef32.exe
PID 404 wrote to memory of 3220	404	Ajckij32.exe	Ambgef32.exe
PID 404 wrote to memory of 3220	404	Ajckij32.exe	Ambgef32.exe
PID 3220 wrote to memory of 3252	3220	Ambgef32.exe	Aclpap32.exe
PID 3220 wrote to memory of 3252	3220	Ambgef32.exe	Aclpap32.exe
PID 3220 wrote to memory of 3252	3220	Ambgef32.exe	Aclpap32.exe
PID 3252 wrote to memory of 1728	3252	Aclpap32.exe	Agglboim.exe
PID 3252 wrote to memory of 1728	3252	Aclpap32.exe	Agglboim.exe
PID 3252 wrote to memory of 1728	3252	Aclpap32.exe	Agglboim.exe
PID 1728 wrote to memory of 4948	1728	Agglboim.exe	Amddjegd.exe
PID 1728 wrote to memory of 4948	1728	Agglboim.exe	Amddjegd.exe
PID 1728 wrote to memory of 4948	1728	Agglboim.exe	Amddjegd.exe
PID 4948 wrote to memory of 3480	4948	Amddjegd.exe	Aeklkchg.exe
PID 4948 wrote to memory of 3480	4948	Amddjegd.exe	Aeklkchg.exe
PID 4948 wrote to memory of 3480	4948	Amddjegd.exe	Aeklkchg.exe
PID 3480 wrote to memory of 4720	3480	Aeklkchg.exe	Acnlgp32.exe

C:\Users\Admin\AppData\Local\Temp\764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe
"C:\Users\Admin\AppData\Local\Temp\764eb067b5bb1fc41cadb86bc3c536e6b3b5af21dcfaffed1ad3a7f399dd5786.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\Pcppfaka.exe
  C:\Windows\system32\Pcppfaka.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\Pjjhbl32.exe
    C:\Windows\system32\Pjjhbl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\Pnfdcjkg.exe
      C:\Windows\system32\Pnfdcjkg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 396
        77⤵
        Program crash
        
        PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2496 -ip 2496
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
93KB

MD5
8379b4e8cde58c40dca5db118cb1d7af

SHA1
d2aaed8e254dc70ba966dd3fc908e951611d82b7

SHA256
29226c808e65edb995d9a122afba995d771f4e79253e1b35467528ffdae44fba

SHA512
93444f2d8f84ab3d49994ea973b1f80f6073685177d53ac13249a4b674f61ca6f7a479a48d3237af716052a71da66379deb57cc986893ede2404d801e8333a2d

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
6a7659cba734a97d7b6b2ce903df3a79

SHA1
16fbece2880fa44a7f8edcef40cc290d4c74931d

SHA256
93a193c24a2125cf87584e1a7e7bd7340da7d2676e555c1aa8683f7acf62627a

SHA512
66fff3dd7b68fac56d9cc0a3387b03a74c045b0ab3a27ffe676279e4551ae688bfe803c9e3efcd5dcd76b975124a33bd3c3b61a774fc7c2872396f66718469bd

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
93KB

MD5
1a121250376276e526e0dce71ed763b9

SHA1
ba3ab38696536abb586d2a399e54e4bb7a363a4a

SHA256
5ce0e79b6271b924c60cbe9f9bf7ef06c734649376e095a4fde01fcf4106db51

SHA512
e3c408d7c89d5556349edccd7e4f23a9607f3804559335350c04262fd7ba957b7b8a63e0b88403c97b21ee8d2be35555f6417d82871694deb31f20eeea777b56

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
93KB

MD5
d04a4c4738a9691dc2176c605a69d587

SHA1
5e29e18dba7760fa5c9bbc4ab3795344b43503de

SHA256
81c9104fe6252a10357fb15c3d3ca3f5d00f4c576a45cdb0e6a53228842f94ca

SHA512
3220a0b103acf71f9d655638d5eebd0d0f6d14f0e4aff434fa3020b76a7cf6405691c7071f4b9362cf0a8e6d8d09e78f641ad207a8ef43b829746ebc63ead156

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
93KB

MD5
8b07dba0a8da66a87ca1679342442cb8

SHA1
56d190d69884779a88ee4bfb045ee0e3dfaaadc9

SHA256
bab554a10220b98700ddeaac0bed8f876fe76b58684f1dd3575865d2986cd2a9

SHA512
73c672e51d9a24dd41111d43a4ee3272a5c936f074d1a492db38f74f05421fc55788ce164a852044b3279239b392f12cb25fa0c5cb99eb291e0a28bb0099c648

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
93KB

MD5
c333e53aff362ef96704355c62e0aa29

SHA1
8b49901f7988d9a1255d26fab73032947b6aa8d6

SHA256
fbc703eb65d47f83ec75561de720ee42b970635aaf2cdc5b91b55b7c82f20224

SHA512
4da8ad695648a9ac0a83bf3e21f306c12ff562824aad3a3fcae6f60aa98780d6555f97f9934919a8a95c5987f997a1901353fdc74a1009c20860fdedd46b6ec8

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
93KB

MD5
b2c62c0f4fd3bbc82cc9fcdbb8205539

SHA1
37b3990b17846b601d6fbd2673b462397ab2c822

SHA256
c000821d34db1accba9c334028ac3aeb4be55c52e71bc58e5361220ca6c33dfc

SHA512
cdc05527f3b42fe0ad58c2a124ded7a8f2f91e4365ffc3d8ab2d8d9bee16dd6db9e7e5baf1483ad4fcd47781ac32dcb806bf353fd4220107f284c2826fa36991

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
93KB

MD5
3d085d54699e9c79f11e392dd3f4f34e

SHA1
1eafd6180824c609724d3a1e1b7dfd3fcc9d7a1d

SHA256
b20de72d706c7eeeb1534207eb464562841d3802004743b2e98ad61aa7bd8d32

SHA512
38fffad5dc910853d858e3253617cc6a75149c1e5c860d1e603ff50ac8a6c47fcfd096705caca010a13112545416b99d3ae361b51ad33aff0c4cba7ade5472b1

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
3d69d3515b37260ee34341086f56359e

SHA1
95df7d7743bc9cb7ae3ab06b75322f050bc5ba28

SHA256
7eb63e50bffb45a440bed3c9d913b692c2549c036990c2e8e1c7bf05a97ac6cd

SHA512
8722090cdd60b469ac707297e07f9e9f3c5151c3184da2d25b268173479606455a9f6e693f81603979c6f31b392376ed9aa912649b79047ddc0640e281a19a72

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
93KB

MD5
390582c8b8d9b4ab02740c19f5326bb0

SHA1
9fe5b79737a11b6af58620182e31403a1933df49

SHA256
7c9f1c6c392c6f0d97643147032d11873ab97335b80f7619d568c684e29b661d

SHA512
6d34abab15d9ea6eabd71957212cf90e5d803c73c568adadacfbda0b302a442377e98f34c30eee0b94284b24c033861dd2cd8e92d0607501638e4b55f39d57d4

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
294ed19c526eddc535478e0027716fd4

SHA1
6e3547d787622f09b2115fc7090905d61a31634a

SHA256
f76bbf65d86a6bc464e7a2dccdfe5cff9faa4a30da6de527d64cd2f2d092d075

SHA512
7be4cd7488976a8dc16ce3e1a477bd53b52b946b0e0e34e157950cb1febabc66d85bcc395bfb6dd252db4cb2c26891486844da8a2fb87701087aad4ede31f337

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
38566ef83849dd6192ab76d9546537b1

SHA1
6c8e31891975ace5a6c07d4180828966d7953cd2

SHA256
03067871a36dab718c85be39262b53e80e9d15211105d385078d21b80207f59e

SHA512
2d14d0f62f066ed66ff178c07e8e8bebc148bae765d042a6aa36c8cbdec5fbb719a8a0960c1c5ef126102c416f4828f32b7cd97335646bd122429a5c5635ace9

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
93KB

MD5
57c390fefe8adff501a93af48c70e5ad

SHA1
300ba0b400a41d8e63ff378216ea90427c5b6f94

SHA256
01c1c90a6b7e4a11e50e933ebb456465dc679c9fa200891437db6b10b510e38e

SHA512
472daff3d3675e4ad3d854de4003f8ac92417c6df83c2f5d5abb8879d065da13d1b30ee7da6f73e634bbbc5adb97fdded2974760d3fa560bc900d35ee38b84ff

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
1424a9c596c2ee44710ed5d3ca7aa38f

SHA1
003f962043a81afd6f88bb821f5fd7b8ea99d5e9

SHA256
3ab5f5e082d4afee6109fd649051bcdbb0b3c2773e6f62a4dcd3ba55d2a38d49

SHA512
234db043b3941c39e19b2c5e6a49f21772be896ba05606fa322e6dba65ab1eeed5e470ae362a5032a416c084880d2629d72cc11f8c7c9fcd21b507afca84ebb8

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
258e683622e84ca83b5bd025aaed5fce

SHA1
5bbf5ed07c862fe35a02b5b459bcd59d3f32af27

SHA256
b145ce5da62dbc54dc841d30bd5fe49463c86046fdb3de239ea007bc1db6df9e

SHA512
6b3ca28470c91ca6b0649e5a4622ad02babd4773173ced80b64a5b38148756131f4ccc95ad72707b23863f05ddc9e152166f3d2b4bd2e7e1b37ad98a13103d6d

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
1cf1915a4e0fccc686a0a6c9d8d6e35a

SHA1
40f9493423602c7a0efa869cfe6d5c89b4a6b168

SHA256
dafe06815aa26cd5b0f62c1b58650b61767b41f6224bcbaf064ae1034048e62c

SHA512
5d722b2a5795c7b33617241a4a70102f8e8ae4aefd5fa0dc71dfcee1ac9c65f082d86271a6e446df48c1ec0072499fa16565e69d9cc40f4466b72cdce54edb0a

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
93KB

MD5
c1f36cc965de689d93ac5a98992c518a

SHA1
1364e871557c78325a13758b0b09874aeb57a58f

SHA256
29110a1c1a6e25e999d7f9db7bfd9b1d8cf7788eaee72ac2664002b85735338b

SHA512
1525942234520a4cd06192a390458e13a4bf6378adf228bb8f6cc2a25be39e650df80c54f13a589299e2d3b2d85a458a5affedd39dbcef83366f5952521159b0

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
e08a6dbe825900f81be70e3608f61abb

SHA1
7468df007a020c13bf9df899bff9c48ec5425fe2

SHA256
d1fc564fd3bf05fd8ecf98bdf435a18e213c537673925cd11806eead2cc152d5

SHA512
56c5a53d5c1254845d9435d3bba96aa6d5e81b8dc5126559d331aba0f74c1e8bf0fe1c010817eb6b9e84abc6934b54ddcaa12a80bdf01a349f3a07b2febfb41e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
93KB

MD5
2a8254bdadcf0d766a200a9637e925c0

SHA1
59463c7a2925d05011a4cf5606a9214bd9bf5f7f

SHA256
6de5e44d0018ac875b6f7460f89324f3e2bc62b3b9aed1a492c01f3c26e7978c

SHA512
f9a714976e59ada34b166f6eeb73e8d37ad65924a994f610d52119ba6be09d8c5ce3f722ab605498fa460daeca605e52be7b2fd89b7f05c122960832e7b3afe7

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
6e63d39476afb70fba52db8da2759b81

SHA1
f5c059d81fc2c91ac55401b1ed17bd90b2ab4b99

SHA256
9a79bbffb017c0bd1479584d6b6692fae9c2230057ec9db8c437aabc2bf0543b

SHA512
fdd1e31dbd66865c13d0bdf10b0b9a5cc77c4a66c544ec6470c99fa47d66043179b6a992bfcdde48322400d447b007725d6e6a83108d899d90b1b2725a982eb4

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
93KB

MD5
0c819d3ca41b2e284bf7317ca0d2e9f3

SHA1
0348b13a3d62cdd3b6b58b1b418695ec3ea0481d

SHA256
ab896961e2f31e12fd129e5c28039eba1976f5b8d98c47044f1b2e5803dc1f5a

SHA512
afe4613cd42b77039fa0bea2013ff5422d09678a6ff87ce29b9b8a937559de8b2cea296a81256483f8f6056c8923357faac37b20567acf744c813bdbf5a8f1ed

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
93KB

MD5
51bbd0bf7835af21e2cd0bb5be1d0a19

SHA1
c4d37c6de3d04281ee9ce5be93f5e7176b902933

SHA256
d2ba0fdae7c9c8c0c59fa5b6c62763156fe4b6380e4f57695bca64be26b82b76

SHA512
f976052e44741cc3109e9f27a47f64a33fe2c2c0f5157fe8abcd9180a7e61c0dc20c1ac2b246053a57faa18dbf76ab998704a32cc7c92d8d3ccf6e7ee5f4c7bb

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
1ecd1633b7cafd0f31b0ca17a0a7b4ff

SHA1
494cbfc9fe78df07e74a0ca250cb971ff0ea320a

SHA256
caa8169eb1b04315185bb7d71434671635d38cf0f6d55320ea4d61f3251e26d6

SHA512
63f57c812ff3ba06e6c3adf0bdace91bde81b4168b3bb70dec62c0629d3c30c257ecf686da7deba0bf2e64984dad6c8ae8442dff828e52700423e693befb1790

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
a0923da199e2ebbfd7785aa32f2a2b7d

SHA1
e6e928a86158232858fb3e6df62a2d6a80efd272

SHA256
4b25a10dadb1a8e28dcf31d36824b051fbd173fc82278c2c240c2aa68cb014e3

SHA512
6a85f676815f2aebd6090440c6f7fc3dbb9634c1aa98f529771ef6798b10ebdee3f687f370ee11202010aa57638c7f759968233d7e1da9a94c6f3f1111ef9c6f

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
93KB

MD5
cb7303210361ba038b6315df99aeab73

SHA1
83dbfd9329d8874612eaade52397bf36b024eb94

SHA256
22c6027255ece44172049d2e16d58c16ab40266c273d1c9fff9ee4e3eed52634

SHA512
d93199d950f682b34966c03b6afbbd9d7199050be0467c21e6b695f47d146de6148e7155ae4b0ad969a96501b10392cd64b47a1debc8d195ef338873d57997d4

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
93KB

MD5
a4dbf84b6e501c78be69f757ed47cc72

SHA1
09ddaab1041f8ff4138bfa23b43b15595ae839b7

SHA256
00cdd5c0d967849b02941e9be2841343dec4bbc431ba297eb073f83a817ec310

SHA512
949067945fbf22f53539af42e9be52029ff0ba3e48da3ba8303f737f7aa3c6c3c9067fc4768cb8f770b7ff7269bbedf50e98fa9d9b7cc1b4bfbd029460dc24cc

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
93KB

MD5
aea6841119074a1fb99af567267db97f

SHA1
316ce9c53457dbdc8851b83605d14d3ee711e85e

SHA256
eb16ace1ad7c91b7b58c7175f7556eeb396ff78cd372a34ffb921d7ad512f9b6

SHA512
f9e88479171004049b3a530e6fb1da20dd4640b61f96f93d0d8cd45d10dc52b7fa79cb8b6f4fdd1f45feacd90aff4362f45da1dfe0c0c0947db5f3430c3f6dd3

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
bb1f42f867c15d5819a9de2b787b1fa8

SHA1
e09f6ab813e1be285d336fd74abe4830bf550f66

SHA256
46f938f067cc0208db1ad5081afaeb0a14c38cb6fa2ff4999a40db4a1236b7eb

SHA512
788eec6414e2d2c32f4df113a6d40900e52b854c9c1db361f197c817cf144ab031cd5d875ec7b5d9b0399d45ebedae1ca5978a8ebb08e5e8b7b13f19769b8c4f

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
93KB

MD5
f995391a23a61629fb2f81bb92e8c934

SHA1
83ff370567e891338982319f0b03e6b3d8435b02

SHA256
df8bbfbaf226acbbec24e9e15683deb102ce53c2c9e1fe01d0bfdc87dbe76caa

SHA512
72ba78ba89dbf1581ba16d9a303fb3fc153edc3becee939214e8e86d180df5357f44e2fe457dd783d28db56bab27bdb5c7284d96f83e1e394a9b02a043a2eb5c

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
6473df2f3dd29cf5b099163dbead028f

SHA1
b5306dafef7cc78045d34ed325f71b1590570177

SHA256
5327a0a614c8459b132e3a4da411ece360033b0a12957b5c3f864be01ca1f254

SHA512
c522fee8d1d294ebd6404579ce87e3ecd38cac2ba0f9ea65cacc0b5dd3b7a39d1428d9f762ab11d9bd2e685e2b16a2826834f4df8deb4762233e944b9e75b194

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
93KB

MD5
e7b984cfb9adb59371b9d576a6dd8dcc

SHA1
9ebeabccc48df6807141201be9d41aeb390cbe00

SHA256
eda0288432b22404ce9f9c75f454014a505c2c56aaaabd0a637957752aad4f28

SHA512
9a5de92b9c65c20edc6c4e2623d3d9160acc7ccd3b654ca4f5b14b28650bd6e436a2a6a9049a58ff08720ed879686afe872aef1a53ba496246b702552fe86bcc

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
93KB

MD5
57f69a1be132f808c5f1bf9164f49260

SHA1
6942db15dd8374e382c4defdc2a7bb68dc2ca946

SHA256
095b05cd41b1f635e76c3bfdccbfeed5a0fe6a00f10843a063f4f7d8779b5572

SHA512
7009c0a632baeb310bd88bb854bef89b6716a6660fbf8c15ef2ccddd967e24df3b4c9847a743781c110e440cdacc2837c5615502f85ca11b2f48bd736db9a519

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
93KB

MD5
b567d72aed921c96f1a6d9a57c470279

SHA1
f3f7eb2e54e21648bc9ba91dbc92693fa1d48466

SHA256
f3527d9d0c7450109afd6455117b26056c0dac4f368b7a6bc6d53cae7e793892

SHA512
5188e3418e8ad542df2a930bd6ba2153ee6b63bcc81775a1f97525352add8c5b17851a8714d2661d54235ecfeefa65d09f4aba97f92cefc5f1923b8fd11aeca3

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
d900c849f6ddf36b4e4c383a7c9fe4ec

SHA1
38c8bde5e6871632d0d32cd709486d83d687d925

SHA256
5681307260e68bd27ba887b97d7ae9442d998ac0b1457afea888cbbc2ed3aa89

SHA512
95943bc4d2f52ffe698d672881ec2335f2ea4e98f11bbae656e54392fa22a6361a13074ed5d781e5835c8ec6afaa76861f477343a9e7eab621fa401857a0a899

Download Submit
memory/208-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1772-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download