feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Size

56KB
MD5

7024fa26b739a22fe5ecf4d3920ad0fd
SHA1

2cffabaed2a5008c2439a62e91700d5297391483
SHA256

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa
SHA512

c87740f512a0991eaa7df0cd9a308154d4ea546e7a6689c3aaed8f0498326265d46406d2e24ebfa994744a85dbb34a810e937738bb10958cd1582e6b88a29302
SSDEEP

1536:+FOLmmx2LMJkl26tk3R6IniSO+Zb2HLjEVcAVi:hmma0kHtk3R6g/aXqPVi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Biojif32.exeBdmddc32.exeCdoajb32.exeCdanpb32.exeAjpjakhc.exeQijdocfj.exeAmqccfed.exeAckkppma.exeBdkgocpm.exeCinfhigl.exePihgic32.exePmccjbaf.exeBpfeppop.exeCddjebgb.exeQgoapp32.exeBjbcfn32.exeBobhal32.exeAchojp32.exeAfkdakjb.exeCilibi32.exePjbjhgde.exeQkkmqnck.exeAbbeflpf.exePbnoliap.exePckoam32.exeBiafnecn.exeBoplllob.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeQbbhgi32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe

Executes dropped EXE 29 IoCs

Processes:

Pjbjhgde.exePckoam32.exePbnoliap.exePihgic32.exePmccjbaf.exeQijdocfj.exeQbbhgi32.exeQgoapp32.exeQkkmqnck.exeAjpjakhc.exeAchojp32.exeAmqccfed.exeAckkppma.exeAfkdakjb.exeAbbeflpf.exeBpfeppop.exeBiojif32.exeBiafnecn.exeBjbcfn32.exeBdkgocpm.exeBoplllob.exeBdmddc32.exeBobhal32.exeCdoajb32.exeCilibi32.exeCdanpb32.exeCinfhigl.exeCddjebgb.exeCeegmj32.exe

pid	Process
2780	Pjbjhgde.exe
2816	Pckoam32.exe
2684	Pbnoliap.exe
892	Pihgic32.exe
584	Pmccjbaf.exe
2940	Qijdocfj.exe
1912	Qbbhgi32.exe
1768	Qgoapp32.exe
1332	Qkkmqnck.exe
2964	Ajpjakhc.exe
3032	Achojp32.exe
1152	Amqccfed.exe
2188	Ackkppma.exe
2552	Afkdakjb.exe
2460	Abbeflpf.exe
1696	Bpfeppop.exe
1984	Biojif32.exe
2200	Biafnecn.exe
2016	Bjbcfn32.exe
1932	Bdkgocpm.exe
884	Boplllob.exe
2436	Bdmddc32.exe
2656	Bobhal32.exe
2740	Cdoajb32.exe
2248	Cilibi32.exe
1616	Cdanpb32.exe
2296	Cinfhigl.exe
772	Cddjebgb.exe
2176	Ceegmj32.exe

Loads dropped DLL 62 IoCs

Processes:

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exePjbjhgde.exePckoam32.exePbnoliap.exePihgic32.exePmccjbaf.exeQijdocfj.exeQbbhgi32.exeQgoapp32.exeQkkmqnck.exeAjpjakhc.exeAchojp32.exeAmqccfed.exeAckkppma.exeAfkdakjb.exeAbbeflpf.exeBpfeppop.exeBiojif32.exeBiafnecn.exeBjbcfn32.exeBdkgocpm.exeBoplllob.exeBdmddc32.exeBobhal32.exeCdoajb32.exeCilibi32.exeCdanpb32.exeCinfhigl.exeCddjebgb.exeWerFault.exe

pid	Process
2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
2780	Pjbjhgde.exe
2780	Pjbjhgde.exe
2816	Pckoam32.exe
2816	Pckoam32.exe
2684	Pbnoliap.exe
2684	Pbnoliap.exe
892	Pihgic32.exe
892	Pihgic32.exe
584	Pmccjbaf.exe
584	Pmccjbaf.exe
2940	Qijdocfj.exe
2940	Qijdocfj.exe
1912	Qbbhgi32.exe
1912	Qbbhgi32.exe
1768	Qgoapp32.exe
1768	Qgoapp32.exe
1332	Qkkmqnck.exe
1332	Qkkmqnck.exe
2964	Ajpjakhc.exe
2964	Ajpjakhc.exe
3032	Achojp32.exe
3032	Achojp32.exe
1152	Amqccfed.exe
1152	Amqccfed.exe
2188	Ackkppma.exe
2188	Ackkppma.exe
2552	Afkdakjb.exe
2552	Afkdakjb.exe
2460	Abbeflpf.exe
2460	Abbeflpf.exe
1696	Bpfeppop.exe
1696	Bpfeppop.exe
1984	Biojif32.exe
1984	Biojif32.exe
2200	Biafnecn.exe
2200	Biafnecn.exe
2016	Bjbcfn32.exe
2016	Bjbcfn32.exe
1932	Bdkgocpm.exe
1932	Bdkgocpm.exe
884	Boplllob.exe
884	Boplllob.exe
2436	Bdmddc32.exe
2436	Bdmddc32.exe
2656	Bobhal32.exe
2656	Bobhal32.exe
2740	Cdoajb32.exe
2740	Cdoajb32.exe
2248	Cilibi32.exe
2248	Cilibi32.exe
1616	Cdanpb32.exe
1616	Cdanpb32.exe
2296	Cinfhigl.exe
2296	Cinfhigl.exe
772	Cddjebgb.exe
772	Cddjebgb.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

Qijdocfj.exeBiafnecn.exeBjbcfn32.exePckoam32.exePmccjbaf.exeAchojp32.exeAmqccfed.exeAfkdakjb.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeAjpjakhc.exeQkkmqnck.exeBiojif32.exeBoplllob.exeBdmddc32.exeCdoajb32.exePjbjhgde.exePihgic32.exeCdanpb32.exeAckkppma.exeAbbeflpf.exeCilibi32.exeQbbhgi32.exeBdkgocpm.exeBobhal32.exeCinfhigl.exePbnoliap.exeBpfeppop.exeCddjebgb.exeQgoapp32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qgoapp32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1720	2176	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Biafnecn.exeBdkgocpm.exeAbbeflpf.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exePmccjbaf.exeAchojp32.exeAfkdakjb.exeCdanpb32.exeCddjebgb.exeQbbhgi32.exeQkkmqnck.exeBiojif32.exeCdoajb32.exeBoplllob.exeCinfhigl.exePjbjhgde.exePihgic32.exeAjpjakhc.exeBpfeppop.exeQijdocfj.exeQgoapp32.exeAmqccfed.exeAckkppma.exeBjbcfn32.exeCilibi32.exePckoam32.exePbnoliap.exeBdmddc32.exeBobhal32.exeCeegmj32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 64 IoCs

Processes:

Pbnoliap.exeAckkppma.exeBpfeppop.exeCinfhigl.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exePihgic32.exeAmqccfed.exePjbjhgde.exeAfkdakjb.exeAbbeflpf.exeBdmddc32.exeBiafnecn.exeBobhal32.exeCdanpb32.exePmccjbaf.exeQbbhgi32.exeQgoapp32.exeAchojp32.exeCddjebgb.exePckoam32.exeBiojif32.exeCilibi32.exeBoplllob.exeAjpjakhc.exeBdkgocpm.exeBjbcfn32.exeQijdocfj.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cilibi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2836 wrote to memory of 2780	2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	30
PID 2836 wrote to memory of 2780	2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	30
PID 2836 wrote to memory of 2780	2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	30
PID 2836 wrote to memory of 2780	2836	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	30
PID 2780 wrote to memory of 2816	2780	Pjbjhgde.exe	31
PID 2780 wrote to memory of 2816	2780	Pjbjhgde.exe	31
PID 2780 wrote to memory of 2816	2780	Pjbjhgde.exe	31
PID 2780 wrote to memory of 2816	2780	Pjbjhgde.exe	31
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2684 wrote to memory of 892	2684	Pbnoliap.exe	33
PID 2684 wrote to memory of 892	2684	Pbnoliap.exe	33
PID 2684 wrote to memory of 892	2684	Pbnoliap.exe	33
PID 2684 wrote to memory of 892	2684	Pbnoliap.exe	33
PID 892 wrote to memory of 584	892	Pihgic32.exe	34
PID 892 wrote to memory of 584	892	Pihgic32.exe	34
PID 892 wrote to memory of 584	892	Pihgic32.exe	34
PID 892 wrote to memory of 584	892	Pihgic32.exe	34
PID 584 wrote to memory of 2940	584	Pmccjbaf.exe	35
PID 584 wrote to memory of 2940	584	Pmccjbaf.exe	35
PID 584 wrote to memory of 2940	584	Pmccjbaf.exe	35
PID 584 wrote to memory of 2940	584	Pmccjbaf.exe	35
PID 2940 wrote to memory of 1912	2940	Qijdocfj.exe	36
PID 2940 wrote to memory of 1912	2940	Qijdocfj.exe	36
PID 2940 wrote to memory of 1912	2940	Qijdocfj.exe	36
PID 2940 wrote to memory of 1912	2940	Qijdocfj.exe	36
PID 1912 wrote to memory of 1768	1912	Qbbhgi32.exe	37
PID 1912 wrote to memory of 1768	1912	Qbbhgi32.exe	37
PID 1912 wrote to memory of 1768	1912	Qbbhgi32.exe	37
PID 1912 wrote to memory of 1768	1912	Qbbhgi32.exe	37
PID 1768 wrote to memory of 1332	1768	Qgoapp32.exe	38
PID 1768 wrote to memory of 1332	1768	Qgoapp32.exe	38
PID 1768 wrote to memory of 1332	1768	Qgoapp32.exe	38
PID 1768 wrote to memory of 1332	1768	Qgoapp32.exe	38
PID 1332 wrote to memory of 2964	1332	Qkkmqnck.exe	39
PID 1332 wrote to memory of 2964	1332	Qkkmqnck.exe	39
PID 1332 wrote to memory of 2964	1332	Qkkmqnck.exe	39
PID 1332 wrote to memory of 2964	1332	Qkkmqnck.exe	39
PID 2964 wrote to memory of 3032	2964	Ajpjakhc.exe	40
PID 2964 wrote to memory of 3032	2964	Ajpjakhc.exe	40
PID 2964 wrote to memory of 3032	2964	Ajpjakhc.exe	40
PID 2964 wrote to memory of 3032	2964	Ajpjakhc.exe	40
PID 3032 wrote to memory of 1152	3032	Achojp32.exe	41
PID 3032 wrote to memory of 1152	3032	Achojp32.exe	41
PID 3032 wrote to memory of 1152	3032	Achojp32.exe	41
PID 3032 wrote to memory of 1152	3032	Achojp32.exe	41
PID 1152 wrote to memory of 2188	1152	Amqccfed.exe	42
PID 1152 wrote to memory of 2188	1152	Amqccfed.exe	42
PID 1152 wrote to memory of 2188	1152	Amqccfed.exe	42
PID 1152 wrote to memory of 2188	1152	Amqccfed.exe	42
PID 2188 wrote to memory of 2552	2188	Ackkppma.exe	43
PID 2188 wrote to memory of 2552	2188	Ackkppma.exe	43
PID 2188 wrote to memory of 2552	2188	Ackkppma.exe	43
PID 2188 wrote to memory of 2552	2188	Ackkppma.exe	43
PID 2552 wrote to memory of 2460	2552	Afkdakjb.exe	44
PID 2552 wrote to memory of 2460	2552	Afkdakjb.exe	44
PID 2552 wrote to memory of 2460	2552	Afkdakjb.exe	44
PID 2552 wrote to memory of 2460	2552	Afkdakjb.exe	44
PID 2460 wrote to memory of 1696	2460	Abbeflpf.exe	45
PID 2460 wrote to memory of 1696	2460	Abbeflpf.exe	45
PID 2460 wrote to memory of 1696	2460	Abbeflpf.exe	45
PID 2460 wrote to memory of 1696	2460	Abbeflpf.exe	45

C:\Users\Admin\AppData\Local\Temp\feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
"C:\Users\Admin\AppData\Local\Temp\feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\Pjbjhgde.exe
  C:\Windows\system32\Pjbjhgde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Pckoam32.exe
    C:\Windows\system32\Pckoam32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Pbnoliap.exe
      C:\Windows\system32\Pbnoliap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ackkppma.exe

Filesize
56KB

MD5
e56f310b8b22dfebb6a449643f5d3940

SHA1
3d7887b64410113d1e89294f75ba521548031192

SHA256
7937f6516fffe6309fd187924dabb079e6c25b0ae3b78802590c0183acb24c30

SHA512
a4efe4e6560a4b230d7a915225cc9535f3a81c303a8e21e32d5d64256027da65879fce786ebdafa6bfcc1ab087e89890142db1a0dfaf3bdbb10dbd86e14005e4

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
56KB

MD5
ce399baa786ac688858a1829fe6c7ea3

SHA1
28904e0a47c282d2b26c100ea969cb4234027c71

SHA256
4b0bcf8012815d24c11f669b2b283ae046c1213cdd00d23ac179ffea34f882bc

SHA512
00c56f66034e416072f49bd96e2841a65e9115ad7eedec0af1663eaff98f83d6bbe34eec8b11972ad78068deb5305ca345eee58b3e02bf4f54d016ecccc2a598

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
56KB

MD5
576d96a380cb76afd8ba558b33bd3278

SHA1
d6a35473a11acc8c316aeec90ffc622bcb26fbde

SHA256
2a5d55a9b0c2f8ab390ee9af201768d5702652d7532525514363f26839431b68

SHA512
1ba71a7b2b51ce0f79316a945bfd4b808755fd44625ab5d33e70b653ab5b81c923c3c4cd080456943a06745d75c3ab038ef32ad2af8cb0894b155ecd08d911eb

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
56KB

MD5
f05e0f21c7f5d452f046700895467e47

SHA1
67cb076be29fe4bd442b8fdf9b236fbb3c2888da

SHA256
112237cc9da0a5eeaba3ef7e2eafa1fedf8b14c3e545250241ca207abb254320

SHA512
6f4b991949eee0344158aacfc6b0b09c7de946daaf7e845db20de00e18ea6ed1ad0676d412eee2583ea87803193d9f9af750543a61726d761e75eeb8a2c58e6f

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
56KB

MD5
f3fc36682f4091a629dff893d03a7c5a

SHA1
a9f8ca2cca860cb353a010b2d0975823d47e0d3b

SHA256
77df7a48b088d3db1167be4193164e677e4b8d1aeb3b9d14cdf612f3e8a5aaff

SHA512
21b75b0c43c05c9e7cd1d8a53471bfe3586e4819c98db424509040f1397b15992206f2442d17c42fd27a96f180763b80e85c6039bef88d3279b955e526a07948

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
56KB

MD5
0cf2c3de009d2318e3c40da866ff58dc

SHA1
7fbce656d867bfe79f7b8abd368e9967fffdbe64

SHA256
39c780fc9632118ee76173642b653545514cef270954b002f09df7ef44447435

SHA512
aa69de5c6a8f93edfe34692d2e2e4b1f7ddd55b691d183c15e3403f50cbd8df6e3b165a3893d545f819435caa2fa7c226c5fd72bc64cb05130788f9484323f5d

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
56KB

MD5
c1a00d4ce1450d42e9b6775f4ba469f0

SHA1
c3499ef8ace7c8aa36b1474edeefe1f087599c05

SHA256
54ee17ea772a8009cdde58ec18cc30c48aa5791c02f022468c7fc335f7a9715e

SHA512
8c156546c38dcff1b54429a82563c68cabe8afa959c769b3d401a779ac48f2d1ca384969e56e9f6d749d1bb5a77a8a37bb92a2aded7046fade96a20e27bf7b5f

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
56KB

MD5
ef4a5a317ad3a57b1250fbbe98b1e25d

SHA1
2f59b41fdc4d2c392a5092ad370abfeed303b19d

SHA256
ad745ead22c07a5fdb450b73996288e317068a47727ee7d919fe4f68eb826f1d

SHA512
8f028cb009650b365e0184a94362a62d0b587d117ddfdd3f55b9263b6d69d522f766476ff0359356e95bfe40e83e23bee36f0cb7d67833e38a635d79048a37c7

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
56KB

MD5
3edf51d95539fd909202a9a83219702e

SHA1
e1bf4ff6a359395f6da8272d7ab6cfd998e20c99

SHA256
8cf53c494779a84b629fe01170903cd1f8847706aec6d49b3faff8fe670a1a3e

SHA512
5a3db079ff80f216b475265fdaac2e9bcc7b84df4291632401da32663730c856eebdf6db3c7b7ba1db6b7a44377de838440fb91c9f890b55f420bd09d6655971

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
56KB

MD5
2c8db2e2e44762fbcd0998096ee93f70

SHA1
7db47d51d98d5493a0ddd08e8c05d453ac728e3c

SHA256
ea10846d03a33d4ba629a2bc36e75b2424da5ccd60a723acf70b99e341ef0e84

SHA512
b2a6b3dfb6de44cea8508e60d0c9a49354d4e4f62877500c03c3e92031059cf6d09388a5e29a50ef1f70ddca02b34c6d8d605c80dd34c7938e57e6028770ed9b

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
56KB

MD5
7412bcbcb066fc89791381b62f68d6f9

SHA1
6e0a94e2a87f188c4b2fd219bd4a222e9decf0c5

SHA256
013a0bb30491a4b8fb977e37c7dcabf72ba953a727c00d41ac339be2f1213056

SHA512
d99b14d2b89c2f65a04e833f897e5c393070747d896d46c96f3dc010acc71b81b771ed86c29274cc652feba7b667b3835524be45507ffe5422f4a909c1a12d3a

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
56KB

MD5
03e6a69a6dba74c56b0873c7787175c6

SHA1
7a3756135ba72f15c3734a3d7c0e1f7c5f362921

SHA256
d774fa84027b8e96501ffb82dfb92d899778f063efca48749057cdf2eab63ed1

SHA512
62ba5f866a14d24ec7834b6d552ea4d9170ec2493fa58a4334760341f1ff391f0d8e48b41a03a4f919ec30c62152be8ba8b641abbbfeb334f1cfbc2408da9c50

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
56KB

MD5
b49ee75dbb65b236deb54e7400453bfd

SHA1
45ca2ea101d140e5106a6021e09f2e98facb2941

SHA256
77a1b426ee2b5b192355963aa3922d8b1d3c48729c08845c23ba810209f80d57

SHA512
3b109342e315f578ef2e2f6066cda0734c372994790874c24598b6548434dd2ab2cd54c4140655dde2553c1462951c8aec850cdfe8dff718ab960c6b705e126d

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
56KB

MD5
6f60a9c89ac8a0dbdc4821f2342f3488

SHA1
b71c0987611adad78b07947ac72d3455a3827f79

SHA256
9d5e18d522916ea47e137d8ba1123cb921a6726f826d84e6d56d8cdb57a4ff6b

SHA512
753f9450b5342d35b548795efb6d098fb36b8a223b630b5e90a011ee45ffc5b46733b89e4ee355c6b476e35f6c3021896242d35d7ca87ca6647926e5141cc994

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
56KB

MD5
61df5444d595756bd903fc092e843ccc

SHA1
62fabd5e4ecf8ac4107c3e7b932211ea50005091

SHA256
0698a795d9c0c7cfecc5208c4d0a40a02f6d89bbc602941341da3f8cff71058c

SHA512
7a93c76c7480f4dac0ce04d3699280140531a25a2372164de6c5bfa1936bb666ee5bfbf9b0ee60277734df67f89ae26e73ddc8203bdba50c1ef0c78aaa51238a

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
56KB

MD5
b8f76afab451f1c7ce58bd81c199104e

SHA1
0715ac9c82fcab2482b119d2aeb5702029903cc9

SHA256
4be2be44507631fbb7327be6ef97bb535c015c03fb6b29159c41971b03b34393

SHA512
0d42db4f3e40f8884160c5d003df10043db68388f2ed6e9c64ecffdf6b5fecf6fbf1af5fa96aef50f9406fb61aaa56513204847f877f7010296f6caad7664d10

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
56KB

MD5
c2bd78aac3ba8749ad6dc5bf0f4588b2

SHA1
ca48abe37efdcce7c379b0a3eed271ba17e7ed8f

SHA256
b7eddd87189a16dda318d6aea5d85a6fff2ececea2b9b6b618165afbd09b4b8e

SHA512
c4275e88c673e00af2fd80d44810a5ca88454d53adde17af0c76d753c505072c3ce5a19f46405f4cb15a7d12d4bf795ea080d5ca1b5f5f37fb3a553806380bbd

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
56KB

MD5
447d7dcdcd638b050393f038385b2834

SHA1
4f49074fed859098654419cfb08bcdcf0e97187d

SHA256
1ac515b6c28cf9b3cf69c515a7cccedfaf78488aed0ef2e3c2296a7fe9e13008

SHA512
d1cadde3db21b49bc86a74866b4d4c544743be8165e593460450ab5a956ff8e47bb58e3776b748e0211445fb6fc3625473abc9d3993c3f0fb8dc41af182e947b

Download Submit
\Windows\SysWOW64\Abbeflpf.exe

Filesize
56KB

MD5
9b30307f6714055e133085e3e298dbac

SHA1
a48a7f07d000eec8e94a6cc6be4d9bddba04603d

SHA256
52606a9d4f571e8652c372a246885afe9e50a08e5d423300ac45bc88d70afdc9

SHA512
c00313fffc0c57a1275be78c14219b84ff61ccf0cd8439aab0926a9b68056b417e1428c5e428c34119a51a030d43e93c5d36e96e6576838bbc617e1f30d9c2e3

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
56KB

MD5
86337a5c1d14acfa0ddb45dfbc24fde2

SHA1
2c263f817310f40a6afd17fb506463da81560616

SHA256
0062cb7107917462d28293b8fdaa9a9ba67ee4ff57d6e38e64ab4113730bed1c

SHA512
50da2cca5a28da73d5200e15b5974df9661ded09a3d612f536fbb2820ab00a24f14ee55cea38bb4bcaae1b8145d1da00f5a61ea4c8b4ffd2538d133cc5b9e390

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
56KB

MD5
1c1fbc75352e07648c43aed09e6a4263

SHA1
ee99ddaaec8916603bfaabb24bc7a7cc2ba44f13

SHA256
3be4470159221fbb75da4dac91c6dde0af4044b2d3a51e8da29698b925114027

SHA512
f1f813f99d18207863d4bddef430dbf4184db8f46104c36abb8f8a677e7d153cbc59bc5f5c11992a3ddc06c1d43ff315628ddf84f5db3d17ee9faac4d301ff28

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
56KB

MD5
d7a1b1061198f8c09afecdec2b3ba721

SHA1
52749378b9dc8d27bbe727a15900697784810a04

SHA256
8f7ebfbca7afd8d5edae78b19ffd929c43c898308ab7d4fbe4664e2a11ff6d53

SHA512
ba0f5a26913ba4fa5e1c62b78554fdc7b899f7cf7fb6f83d34192540fceb1371c14c777fbcc699085bb53dbad9786977c9fb5365dc0ead90daa0be9e4c64cdb8

Download Submit
\Windows\SysWOW64\Amqccfed.exe

Filesize
56KB

MD5
947555346fc4d4a6339c13380190cb36

SHA1
9be37e794e203bc27717fb34676d90477695b4bc

SHA256
df1a694e9e5000b0d7b6d47aa258e11147c0288a2b0b2a95bda0a611b9f2b9dc

SHA512
56f467fbd9db2dcf59c00feea53676e96b8e560bb9dbdb44e8d6680429347683ab674e18555859fbd8fc271416bfcf6d71b69366ce2b07f8b14fee590ebadbfa

Download Submit
\Windows\SysWOW64\Bpfeppop.exe

Filesize
56KB

MD5
38d4e95b8803ed4138621e0aa0006f49

SHA1
ca81cd8fd6b983fd0ab0417145300276ce247942

SHA256
43fc9c0a646b72abda11a5ab7a5d316fab31d98c773349b38cec105207915767

SHA512
93cb5baf95aee5166ef95e88e4e31e9b452783e27736d6e96a8cfab19d3c0f21d65a362c36ae67834db870c5bd2064560fb487d52dca440d365878624f486bff

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
56KB

MD5
112a5f8df4ce5b008be0d3d6efbd7168

SHA1
0ebe4c8b664bb73fc28586c3eb00c650c6fb1cc9

SHA256
0588fe21af1fca87d3930a5b99fccaee918a0732c37f68c09cbcd8b8c7fa83ed

SHA512
ac5d56b8c8683dc7e57829ea7cc713ab73fab9e460ab963a52d403ed59ee6a1e3e41ca022a566bd85d881c76a8eca3c384da6eb512c378bfe0164d2ae7c72cb1

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
56KB

MD5
2f5ecee3e7924f924e4197c91189fcda

SHA1
1d27326253811afa1b8ebbb426392cf78a54e4ff

SHA256
d039f0e78b7859d79eee48e91928589276bec24d3d0e1d5e8dc21bc0f1932f60

SHA512
2fc1430b4ac4913232b40724edb976a47a66f6d90fcee5c5a4179cb103eebdb8474c47c22f09a82d87b2ef2cc790395d6e29393f5112a544f654fc2a9d211ad1

Download Submit
\Windows\SysWOW64\Qgoapp32.exe

Filesize
56KB

MD5
5a84fab0689fe11e34dc173fb8f8d554

SHA1
dab8defc17aaf95f7e92411558666f20775cd183

SHA256
85197dc1e73361e312a8dee015215eee510cde519752a5da7cb2921b2c64fc5c

SHA512
129defc5951ff4d6a69c90298833d5f10ea73b807c8bf7d58d87dc5eb02f62b8584dc5798d670b44c1b344e356984e1be5a620389dda3eff1ade2ec62a6cfed0

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
56KB

MD5
a5349f6692225b6cfb4673be8a53ff0b

SHA1
ff792e6b2b5e2abc1a08f819006757aba61aa132

SHA256
bc153c8729383a09adfcd7a4ed8c8c6014927ef910c3609277272b0388944989

SHA512
cde599f0cf07684fabcbc3b8a38ca0f5ad4d5428302f4da416b12aee5a4858a5ca135ca0011e8c210ae558f82c63895cd17f36fca5010dbb33f7e076dc884f52

Download Submit
\Windows\SysWOW64\Qkkmqnck.exe

Filesize
56KB

MD5
cc28cee12f1dcde8855c3cef30cb6cbb

SHA1
2f8e32ff7e8cc3c9f5df5a297e21d89853f56497

SHA256
f1cd41edfd4d4c227c64a1e88bc17c4f11584992b4ef56ccecfe6c2679e4a9a3

SHA512
2784622b75445ec57ceccfeaf8d15814dede264493a7c58f69b5e2581097f1dfef6b407fca74d46c8e34176a0b2060577cf010d0132cec3fab8f82e707273bee

Download Submit
memory/584-80-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/584-148-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/584-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/584-139-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/584-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-374-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/772-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-298-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/884-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-235-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1152-187-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1332-200-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1332-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-137-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1616-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-280-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1768-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-110-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1912-171-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1912-172-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1912-115-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1912-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-290-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1932-327-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1984-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-254-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2016-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-276-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2176-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-246-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2188-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-201-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2200-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-266-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2200-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-345-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2248-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-341-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2296-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-308-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2436-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-227-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2460-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-258-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2656-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-318-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2684-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-329-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2740-334-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2740-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-373-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2780-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-11-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2940-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-156-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2964-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-150-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2964-203-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2964-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-165-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/3032-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download