berbew | b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Size

59KB
MD5

a931b2509db2a8a5aec8395ff49b1905
SHA1

4a72c7f16902512e8d74f3070edac79b532a81dc
SHA256

b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e
SHA512

8d221bda29c0349dc8a0fdbb8aeb5e240e3b884de82f45f54225b117dfcd91bc0b2f4bf5966e72d99637de108aceb3f6a2a197406bdc25d3948f4799e9f8c81d
SSDEEP

768:V3SJqHl3igCWbHIDPzm5zHY/bFTtecK+nqW6KrY6MWxEXQ/1H5rXdnhgPD4N:V3DAgVzSPSRY/bFTplDroWxEazh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Qdbiedpa.exeQffbbldm.exeAminee32.exeBjddphlq.exeAclpap32.exeBmngqdpj.exeCnffqf32.exeDelnin32.exePfolbmje.exeAabmqd32.exeAfoeiklb.exeBagflcje.exePncgmkmj.exePqbdjfln.exeBebblb32.exeBgcknmop.exeCfdhkhjj.exeDeokon32.exeAcjclpcf.exeAnadoi32.exeAqppkd32.exePqdqof32.exeAjhddjfn.exeBeeoaapl.exeBalpgb32.exeDdjejl32.exeDodbbdbb.exeb2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exePflplnlg.exeQfcfml32.exeAmbgef32.exeDaekdooc.exePnakhkol.exePnfdcjkg.exeAfmhck32.exeCenahpha.exeDmcibama.exeQqijje32.exeDdmaok32.exeQnhahj32.exeAnmjcieo.exeBmemac32.exeCegdnopg.exeCfmajipb.exeAccfbokl.exeBjfaeh32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

Processes:

Pnakhkol.exePcncpbmd.exePflplnlg.exePncgmkmj.exePqbdjfln.exePfolbmje.exePnfdcjkg.exePqdqof32.exePgnilpah.exeQnhahj32.exeQdbiedpa.exeQfcfml32.exeQqijje32.exeQffbbldm.exeAnmjcieo.exeAcjclpcf.exeAmbgef32.exeAclpap32.exeAnadoi32.exeAqppkd32.exeAfmhck32.exeAjhddjfn.exeAabmqd32.exeAfoeiklb.exeAminee32.exeAccfbokl.exeBjmnoi32.exeBagflcje.exeBebblb32.exeBfdodjhm.exeBmngqdpj.exeBeeoaapl.exeBgcknmop.exeBalpgb32.exeBjddphlq.exeBeihma32.exeBjfaeh32.exeBmemac32.exeCfmajipb.exeCenahpha.exeCnffqf32.exeCjmgfgdf.exeCeckcp32.exeCfdhkhjj.exeCmnpgb32.exeCnnlaehj.exeCegdnopg.exeDdjejl32.exeDmcibama.exeDdmaok32.exeDfknkg32.exeDobfld32.exeDelnin32.exeDodbbdbb.exeDaconoae.exeDeokon32.exeDkkcge32.exeDaekdooc.exeDmllipeg.exe

pid	Process
1852	Pnakhkol.exe
864	Pcncpbmd.exe
4084	Pflplnlg.exe
3376	Pncgmkmj.exe
2808	Pqbdjfln.exe
1008	Pfolbmje.exe
2536	Pnfdcjkg.exe
4560	Pqdqof32.exe
1876	Pgnilpah.exe
1448	Qnhahj32.exe
3052	Qdbiedpa.exe
1348	Qfcfml32.exe
3420	Qqijje32.exe
928	Qffbbldm.exe
1640	Anmjcieo.exe
2900	Acjclpcf.exe
4752	Ambgef32.exe
3740	Aclpap32.exe
3324	Anadoi32.exe
3736	Aqppkd32.exe
3240	Afmhck32.exe
3468	Ajhddjfn.exe
1648	Aabmqd32.exe
3956	Afoeiklb.exe
4024	Aminee32.exe
2504	Accfbokl.exe
3952	Bjmnoi32.exe
4736	Bagflcje.exe
2440	Bebblb32.exe
2664	Bfdodjhm.exe
2160	Bmngqdpj.exe
5088	Beeoaapl.exe
4428	Bgcknmop.exe
4520	Balpgb32.exe
3504	Bjddphlq.exe
3552	Beihma32.exe
2324	Bjfaeh32.exe
4868	Bmemac32.exe
4980	Cfmajipb.exe
3800	Cenahpha.exe
4032	Cnffqf32.exe
1232	Cjmgfgdf.exe
1288	Ceckcp32.exe
3700	Cfdhkhjj.exe
1916	Cmnpgb32.exe
3332	Cnnlaehj.exe
1104	Cegdnopg.exe
3788	Ddjejl32.exe
372	Dmcibama.exe
3748	Ddmaok32.exe
1276	Dfknkg32.exe
2028	Dobfld32.exe
832	Delnin32.exe
992	Dodbbdbb.exe
1628	Daconoae.exe
1784	Deokon32.exe
496	Dkkcge32.exe
1220	Daekdooc.exe
2408	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Qfcfml32.exeAmbgef32.exeAfoeiklb.exeBjfaeh32.exeBmemac32.exeDfknkg32.exeCnffqf32.exePnfdcjkg.exeAnmjcieo.exeAccfbokl.exeBagflcje.exeBmngqdpj.exeBjddphlq.exeDeokon32.exePnakhkol.exePqbdjfln.exeAcjclpcf.exeAqppkd32.exeCnnlaehj.exeDaconoae.exeDaekdooc.exeb2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exePfolbmje.exeQdbiedpa.exeBjmnoi32.exeDobfld32.exeDodbbdbb.exeDdmaok32.exePflplnlg.exeBeeoaapl.exeCfmajipb.exeCmnpgb32.exeBalpgb32.exePgnilpah.exeDkkcge32.exeAnadoi32.exeBebblb32.exeBeihma32.exeCfdhkhjj.exeDmcibama.exeCenahpha.exeQnhahj32.exeAclpap32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3680	2408	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pcncpbmd.exeAfmhck32.exeCeckcp32.exeDodbbdbb.exeDmllipeg.exePnfdcjkg.exeAclpap32.exeAfoeiklb.exeDeokon32.exePflplnlg.exeAmbgef32.exeAminee32.exeDdjejl32.exeDaekdooc.exeQdbiedpa.exeBeeoaapl.exeCfmajipb.exeDdmaok32.exeQffbbldm.exeBebblb32.exeBeihma32.exeCfdhkhjj.exeDfknkg32.exePgnilpah.exeQfcfml32.exeBfdodjhm.exeBmngqdpj.exeCnffqf32.exeAjhddjfn.exeCenahpha.exeDelnin32.exePqbdjfln.exeAcjclpcf.exeAabmqd32.exeCjmgfgdf.exeDkkcge32.exePnakhkol.exePqdqof32.exeQqijje32.exeCegdnopg.exeAnadoi32.exeBgcknmop.exeb2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exeQnhahj32.exeAqppkd32.exeBjddphlq.exeDobfld32.exePfolbmje.exeAnmjcieo.exeAccfbokl.exeBjmnoi32.exeBalpgb32.exeCnnlaehj.exeDmcibama.exePncgmkmj.exeBagflcje.exeBmemac32.exeCmnpgb32.exeDaconoae.exeBjfaeh32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe

Modifies registry class 64 IoCs

Processes:

Bebblb32.exeBgcknmop.exeCjmgfgdf.exeCnnlaehj.exeDmcibama.exeDodbbdbb.exeDkkcge32.exePgnilpah.exeQfcfml32.exeAfoeiklb.exeCfmajipb.exeAminee32.exeBjmnoi32.exeBfdodjhm.exeBeeoaapl.exeCenahpha.exeCfdhkhjj.exePqdqof32.exeQffbbldm.exeAjhddjfn.exePfolbmje.exeDfknkg32.exeb2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exeCmnpgb32.exeDdjejl32.exeDeokon32.exeDaekdooc.exePqbdjfln.exeCnffqf32.exeDdmaok32.exeCeckcp32.exeDelnin32.exePflplnlg.exePncgmkmj.exePnfdcjkg.exeQnhahj32.exeQqijje32.exeAnmjcieo.exeAcjclpcf.exeAabmqd32.exeBalpgb32.exeDobfld32.exeBagflcje.exeBeihma32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exePnakhkol.exePcncpbmd.exePflplnlg.exePncgmkmj.exePqbdjfln.exePfolbmje.exePnfdcjkg.exePqdqof32.exePgnilpah.exeQnhahj32.exeQdbiedpa.exeQfcfml32.exeQqijje32.exeQffbbldm.exeAnmjcieo.exeAcjclpcf.exeAmbgef32.exeAclpap32.exeAnadoi32.exeAqppkd32.exeAfmhck32.exe

description	pid	Process	procid_target
PID 4100 wrote to memory of 1852	4100	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	83
PID 4100 wrote to memory of 1852	4100	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	83
PID 4100 wrote to memory of 1852	4100	b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe	83
PID 1852 wrote to memory of 864	1852	Pnakhkol.exe	84
PID 1852 wrote to memory of 864	1852	Pnakhkol.exe	84
PID 1852 wrote to memory of 864	1852	Pnakhkol.exe	84
PID 864 wrote to memory of 4084	864	Pcncpbmd.exe	85
PID 864 wrote to memory of 4084	864	Pcncpbmd.exe	85
PID 864 wrote to memory of 4084	864	Pcncpbmd.exe	85
PID 4084 wrote to memory of 3376	4084	Pflplnlg.exe	86
PID 4084 wrote to memory of 3376	4084	Pflplnlg.exe	86
PID 4084 wrote to memory of 3376	4084	Pflplnlg.exe	86
PID 3376 wrote to memory of 2808	3376	Pncgmkmj.exe	87
PID 3376 wrote to memory of 2808	3376	Pncgmkmj.exe	87
PID 3376 wrote to memory of 2808	3376	Pncgmkmj.exe	87
PID 2808 wrote to memory of 1008	2808	Pqbdjfln.exe	88
PID 2808 wrote to memory of 1008	2808	Pqbdjfln.exe	88
PID 2808 wrote to memory of 1008	2808	Pqbdjfln.exe	88
PID 1008 wrote to memory of 2536	1008	Pfolbmje.exe	89
PID 1008 wrote to memory of 2536	1008	Pfolbmje.exe	89
PID 1008 wrote to memory of 2536	1008	Pfolbmje.exe	89
PID 2536 wrote to memory of 4560	2536	Pnfdcjkg.exe	90
PID 2536 wrote to memory of 4560	2536	Pnfdcjkg.exe	90
PID 2536 wrote to memory of 4560	2536	Pnfdcjkg.exe	90
PID 4560 wrote to memory of 1876	4560	Pqdqof32.exe	91
PID 4560 wrote to memory of 1876	4560	Pqdqof32.exe	91
PID 4560 wrote to memory of 1876	4560	Pqdqof32.exe	91
PID 1876 wrote to memory of 1448	1876	Pgnilpah.exe	92
PID 1876 wrote to memory of 1448	1876	Pgnilpah.exe	92
PID 1876 wrote to memory of 1448	1876	Pgnilpah.exe	92
PID 1448 wrote to memory of 3052	1448	Qnhahj32.exe	93
PID 1448 wrote to memory of 3052	1448	Qnhahj32.exe	93
PID 1448 wrote to memory of 3052	1448	Qnhahj32.exe	93
PID 3052 wrote to memory of 1348	3052	Qdbiedpa.exe	94
PID 3052 wrote to memory of 1348	3052	Qdbiedpa.exe	94
PID 3052 wrote to memory of 1348	3052	Qdbiedpa.exe	94
PID 1348 wrote to memory of 3420	1348	Qfcfml32.exe	95
PID 1348 wrote to memory of 3420	1348	Qfcfml32.exe	95
PID 1348 wrote to memory of 3420	1348	Qfcfml32.exe	95
PID 3420 wrote to memory of 928	3420	Qqijje32.exe	96
PID 3420 wrote to memory of 928	3420	Qqijje32.exe	96
PID 3420 wrote to memory of 928	3420	Qqijje32.exe	96
PID 928 wrote to memory of 1640	928	Qffbbldm.exe	97
PID 928 wrote to memory of 1640	928	Qffbbldm.exe	97
PID 928 wrote to memory of 1640	928	Qffbbldm.exe	97
PID 1640 wrote to memory of 2900	1640	Anmjcieo.exe	98
PID 1640 wrote to memory of 2900	1640	Anmjcieo.exe	98
PID 1640 wrote to memory of 2900	1640	Anmjcieo.exe	98
PID 2900 wrote to memory of 4752	2900	Acjclpcf.exe	99
PID 2900 wrote to memory of 4752	2900	Acjclpcf.exe	99
PID 2900 wrote to memory of 4752	2900	Acjclpcf.exe	99
PID 4752 wrote to memory of 3740	4752	Ambgef32.exe	100
PID 4752 wrote to memory of 3740	4752	Ambgef32.exe	100
PID 4752 wrote to memory of 3740	4752	Ambgef32.exe	100
PID 3740 wrote to memory of 3324	3740	Aclpap32.exe	101
PID 3740 wrote to memory of 3324	3740	Aclpap32.exe	101
PID 3740 wrote to memory of 3324	3740	Aclpap32.exe	101
PID 3324 wrote to memory of 3736	3324	Anadoi32.exe	102
PID 3324 wrote to memory of 3736	3324	Anadoi32.exe	102
PID 3324 wrote to memory of 3736	3324	Anadoi32.exe	102
PID 3736 wrote to memory of 3240	3736	Aqppkd32.exe	103
PID 3736 wrote to memory of 3240	3736	Aqppkd32.exe	103
PID 3736 wrote to memory of 3240	3736	Aqppkd32.exe	103
PID 3240 wrote to memory of 3468	3240	Afmhck32.exe	104

C:\Users\Admin\AppData\Local\Temp\b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe
"C:\Users\Admin\AppData\Local\Temp\b2ff8a59692199f86e5a229dd2184dcbba325f91a341521b9777e21a0285665e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\Pnakhkol.exe
  C:\Windows\system32\Pnakhkol.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\Pcncpbmd.exe
    C:\Windows\system32\Pcncpbmd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\Pflplnlg.exe
      C:\Windows\system32\Pflplnlg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
      - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 404
        61⤵
        Program crash
        
        PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2408 -ip 2408
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
59KB

MD5
3d300a2cae5281717d1de191daee4257

SHA1
1520bc50d089badd63f71c59c53568f9894559c2

SHA256
b40fc7c4ef53f78ded07626bfa4299322279edc37a2ecaf791be69dcd27f3eab

SHA512
a3a9a2df88e8d67a1a13319ce8dabbc209b5694463ef9dd13047a570a017cf2fb479c789f9fb446b1d0bf6b6696e0780bd224ae5394641119f608e354794e68d

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
59KB

MD5
6679d709166032a46a42c9eec18c90ad

SHA1
e2d669729e548f514c277c7ef0c9af773b91aca2

SHA256
6323298755ae0bd9810a9c049ccd404f5f97c62149ba30f5d267c8ec0831b67e

SHA512
3988959e97941274837bc56f3f90457ebe36082f7df5b719fa55a7869378718bbb8f3c1418813dc1fd5dccaf6bb5c222972720c22e396897a67e8ebfec76e3e4

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
59KB

MD5
db3f465be09d8ca437e470daa35f9328

SHA1
fcffbb3881cf38dca18ce686a0f201726cd313f8

SHA256
d1074c5462a7095e0880b93bd32929cd326e564be7ea547171315bd35639bf61

SHA512
af971dc160d094fb2c4370eac2ee86573eb14c62fcfb789be5406e480933e278534967996b11b0292ed8f3f4e8b16b308d505de7cea29414e8305f549db8aafa

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
59KB

MD5
030fc22d3a9f21266a5ad9709dbf025d

SHA1
dd77ab2f30999540daa8ce0f11d2d15b9471a66e

SHA256
63b617befed6da4b2b2fc8525f339bd8bfcc83d3382611b3b1f9c35f489bab9e

SHA512
a7c4a013a0f6e37f78d040bc84ba71d7e981b3f5023fb089512a41deda947efdd632d5b0a70820da7c95a92608c9e049bfcd50dc59a6d850a7c3d3b5dbe3af01

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
59KB

MD5
0ec7c77a62e16a5d9183bf1ac8b7f966

SHA1
8f6b2cb35468c9df8a9ffa90376edb09909f16a5

SHA256
4b840004156b76179df728cd4b6e5777aa0ebfa6e675d06b19c0fd865ff66bbc

SHA512
03f2b56fce0829f984589eaec4a23b2bd07f9f1f5d3e02a0459bb57d7684d4492b58e8fe8906a906c8e822b9429ae46d498229ca991f764758f471dcf0274f16

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
59KB

MD5
fd87cbd92d77fd9add95a3cdbdbfbc23

SHA1
05ec67e107072ddef312781c5fd35db1e80a9d31

SHA256
587bebebca89580b6595696cf3cdec31741073deecf1eff573590d2360360471

SHA512
65ef7d701c80b3340d2033456e853b10d6fc4cb4e67f5bf0056f1bb84d895b2553998c6baab16d601bff65fd865d722e0addf848f900630c38e14a19771b19fd

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
59KB

MD5
fce1dcc88214ea036109e85164965c4a

SHA1
e2ab95590e8b142f66fec60763212729732a2c6d

SHA256
057d93b166dfbf28d1e460cc5cbadf4727817213852ce2459ab729a85604b13c

SHA512
83d4b247d8c98165248a87fe0fe600f3aed01f488a7064d52d3a343ade2a240e49b3499acf8c01180d0afabd48d4fd32febaa255569fcbc744af55f14d6ec6a0

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
59KB

MD5
ecb5d832cda3d489a97392d468b180f9

SHA1
eea79c4065bedac22b8dfbaa3e41993b381c3555

SHA256
25720be020a27a17d8ad113a59a6d739004cda1c914b98087d86e20f2554ab5f

SHA512
ef0dc918215723c3012166e17b2bfaeb440de7a7d8f5b70cd77d1d9d9054116ec11de00636201342e22a6f7a72292c3e3cfbed93feb363bcfb365e4fdfadb928

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
59KB

MD5
9fdb377a8e8f99a4cec7e3ba401c33b5

SHA1
06ffb52a3994c3b0d411844880755d40897a7db2

SHA256
90bbcf23ff199e342cc19f8b11ee3aa0d2cdf038a794177fa65a620e3d5410e9

SHA512
e603b7a4f2cab78bcb69a7eaeecc2c73c28d07f77c9ca13004595cf6b12b2dd3d81bf190c87401d0bf328897eb573a6f7eb8ef2c4dd84536e7e55a24522e4cea

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
59KB

MD5
ebf09493e2080b7675ff278537b41519

SHA1
d9f4d135c07d91ff30aec7e48da00df905fc3621

SHA256
28b1caa0250ddc91106d2fcbb6fdf6c951c864955255fd66bbbbdeca6b1384c4

SHA512
02a0d0183f356c2c59c29d9bbbb74a647edc9b7da9397e7531b451bed048fb0a8bf1701f3c6a081e3ed21c64160cb23259d1e8c66555b1661730c6dc0b4bb3ab

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
59KB

MD5
bc5e1277b9406a0489dd7ab23747fd8b

SHA1
112647dfe0d0d463e848a5340d5a02c07690c5de

SHA256
7ab947b70728142bab78561c8170f35514f2c5ea119381f20e4406af91540c6d

SHA512
0b9208d79a9a91afef149c8780ab746783886338ffb20ae6c4c44de798737ff72bade09b83ef19b3a82b2c77bd18ef914c83397ee5c2d6ddbc7943a1c92a8de0

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
59KB

MD5
4380d1c2f490a8f5e4075f973feb0e56

SHA1
faf3dce03799c5000ebd25342f1a1df7e2aca330

SHA256
eebf2ba5584036f516c0b68aa266ed379457ee5996aa6f37eca57eea751a6c99

SHA512
122f8f2de4a1205ced3d433aa15ee0b62cc3dd9395fb1df57ef804942d2a249754b5421795aeb756dce81153c7c1a4bd2489eec9bece34eb319dee3ff67d0fb0

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
59KB

MD5
97c7357cadbb6dee306559cdb8e32fca

SHA1
d3c08abd26ecfc23400389a87e66c1fe1ba1db77

SHA256
6105043d315dc0392e4a6d056f0908118be2aa1f527aba8a478805ef53cf63c9

SHA512
096c8afa694f107411e8e7242a86f9446746788fdb8f6b642856aa2239199b6aa0b6bc491f35d9eaa464f4d30fc8ca4d2ad613fa1b646105b4707cf75e681428

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
59KB

MD5
7d92c295e0e099dc497862852e2fa99b

SHA1
c53b2d6cac7503540c3e5fd6ccc9fbaa43e13557

SHA256
b02cc9c1927b9aed63ddd1ada9dc9013c3468e4fba435396a6d4b1452b9531cb

SHA512
4ef5538eb232bf395241c29ee8bc4c7f62b23191da3020aaaccccac1e30b8862166a4873ae0a83260750ab4201ac8b0034912391344a2e09f82c35cdd77fa2c5

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
59KB

MD5
7460f2ad85e22e9a1d1c5b9feb6e8fa6

SHA1
cbe7d55e0042a04dcfdc3733525ecb3f4fcdd677

SHA256
ae040e2ca8370f1e3063f6e33a43e854e53ff9a6374cf54ba568e43631b8f23c

SHA512
7160828b70ce20587d8e68d0c27562924c2ecdb4cd2a27da7f4e7b3b181a8579b556ec30c27277207e7a5a61e6da759997c97bcaf7a74446539b1bc833b982c7

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
59KB

MD5
480cfd77c8bbe3c331a1c248706fd4e7

SHA1
dbf2ff02d39893754040af4450defe4f41337519

SHA256
31b4e9625ebf449dfd6a281c6aa7ae3cc8ce186aa81defe71b878e73cca70648

SHA512
be9dbb1561af964ae41c9ed884608ad46e7a2d9f00e783a54a384267218989dc01a3f095791291ea2142641160bfbb500cd1ef9c9bb8be696382037be3e58d46

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
59KB

MD5
1123508b490d44d46bf88362726a71aa

SHA1
af9901896d8ffda1e880f09d52ece838d7ec54e1

SHA256
68d2560f28278821023920eb28fac6c195fb641bbdc1f0a76c6815993665f75c

SHA512
d0ce38b470e7aba57960cf32d6821214d3f7d8b198f498d9ffcbcc24caf84afb2ffbeb2d180e1023493c9e6ac78cec94298f5e55892482faff36c8dff8ef4267

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
59KB

MD5
b295d90c1349f46026325e1467c8fca7

SHA1
d251cce9d827d4e63b801e419f771fa76befe800

SHA256
f6e6a33ed73cf6fc5a51250aae2a96e8f07846d4cc4035f23747f14cb851bd85

SHA512
0676a98173fc9f2f6cf6aef6d9388d02b721107f1099761ee2f45b367b8f013026d8c658a26a7d92e23922a6e9677a6a697ea1a4159b926697f5b33b94cc0faa

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
59KB

MD5
23383ca71c8e1f61d7582c9030e3a8be

SHA1
f7d92a8116cd4e498d0d38efaf69cdbcf36812e1

SHA256
06d6b6f9ac498219ae8fff26c6775b6e226fc7858aee5c35d68cf50a602484c0

SHA512
0c2f50494dd2756aa5d5e051e701fbe3cd883952bf35fb981384c36818663c478a1cd5419d8af6b7ec2143391066ffa47f5d30aab81694d6d185e968334667dc

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
59KB

MD5
63335ded16fd85449c2f89b8ae46c039

SHA1
38e85a18338a6b99d76d87537106d30b763bedf5

SHA256
ba62bb1f937b9cfb5eba8265103eca60eb82595efef69fc9a11c40e543810028

SHA512
e505b3e9b5f1d6315ac66624f4f03cde0d90f6a946ac67e220c8aa79e7b112fb1cbf57efbb54b80006e652559c75fe08cebb41a1b8cfc3e1348bdf9c5df70807

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
59KB

MD5
82cb831c2d4d9544e666caab080130b5

SHA1
4f565fd00bb073b23f6980dd40c6f9e53d590728

SHA256
cfca1a7833d71d155a231398b50700a5b2acdc690cbdc80c04f2b0ec0d5e7313

SHA512
c17dfda8e5d946145eacf01a0d2f52603350437efb1283f72e1e9a72cccb5c3d0cc28581bbccc3d05de0d440f1e5cf4245e0ed10d6d562c1900beebe820a1df7

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
59KB

MD5
e99c91a6bb0c2ad110a97862ed551bc9

SHA1
daf93373cb96888bd9dc0131c171ea5019fe1feb

SHA256
0655789a19e62b4f08715cfc913725c6f1c5fa884b61b66476dd1858f10f4619

SHA512
3bea0326901a1524627a5d0d85e1a1a3ffd9a72e8dcaf4be1f862fc72ba4ee50d7931e9d5b034ee77d2d0307dd1d04921495d7b0d9ebbf36c1c22e0c2d1a707e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
59KB

MD5
34be6d8595c941d01f7e41e11772a3d0

SHA1
84aa5ba703a94a9b81b30775455931aaf05b65a1

SHA256
7dca90061f5e3b98f6cc5837c4ec758f70b93be31d7c1de6788ba4442b298dfd

SHA512
a2b0b49707f7838f41d293d458873e12d24ef691a9804564970e4f7048d01fc1e93c753654fa17bb0a58842f1c1f762b8a091b875387778c066dcbc7e3667ef1

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
59KB

MD5
be1ff2292866ce7fc3ba4ae972dddc13

SHA1
e614d55920f34558e76df2ab2ad1bda7e7c3c3ae

SHA256
fe3d6cda56157601e73efbc8ba4f4366b5a98150ad916f3d2b4a2a8f58e7c8fd

SHA512
b443fc024febcf5e07f072dcf2989ddfd5f439fbda2505dc0ff23baaac80c8ef7e5e070a8750470e94ed8d2a9096eaa3d3fbc594dafb2a881562ac54040946d1

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
59KB

MD5
cd3e40c52a5e85cde336fcdaee3a9c3d

SHA1
04b8b7d1d45de847f5d83f526ba1df2a0d06c31e

SHA256
29777188b27a6fc82ef9780cfb941b2eabf30128436ffebf3d640372ba93bcde

SHA512
08470d00aa2afb56867ba265e004bfd83e9a746cdd52e7c9cd5fd62990fa001a6ad785af99c5dc66431bd609c533243b1f1e4feea403ca4dd77975ad50243418

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
59KB

MD5
0bbc106f25584e11f23430b7d9fe9070

SHA1
3e2569e0c5905229b8acab1e054c3852a1e2e8c5

SHA256
a343bd561920ff22ddc9bb70b2cb0ea7fafecc720f49e116b8b02f00c2672904

SHA512
a63cd93245ef633fd755aef8beadba09089b36843cfc8762b945816a3ad446cffe361a9b75924fcef1e22525645ed04796e676018d865ff3162a7edfa188aab6

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
59KB

MD5
cf2c94d9c6cf1566f9ef864d8df8b064

SHA1
511272132aa57be91dfaa6bb90b3f22ca83ea71a

SHA256
5b3e2634dc9a37fa3049461576a24105aeab661b213c6cc8e9bbe86c1722e042

SHA512
76239b5151b0de11436baf5ed7ad4906506c8355b33550859d371057a6118d6f1c32b39ea6af3ee5c804a5e78455cb2db778af8a2bf1778b8c4326022e64c481

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
59KB

MD5
01b79246ccd03c8c118e057828390879

SHA1
02b9a95c51f795835a6c585f0f40da54ba336879

SHA256
4da998090242212f673a48cea8db65ef8fd86825ed61cbb5724e747346add3ef

SHA512
4dd32d2eee7669e0aae219de008806a4bae9dae58ebbcdb4a6ddc217294742f94b300a7ec530758caad78bd6879c754ae1dc94ec8120ffd3091be744006cd00a

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
59KB

MD5
57b8f85ee7d0a3ff2df397cdf9091685

SHA1
dbd460bb41f45be5ff8f2954bcc75e5c5e4d0b93

SHA256
86463ee5faa46d40d7cff8f52a7c7f618bc9e8871076253adc1174001fad2fe1

SHA512
12f392292c10edc423013e8cbcb38cb3b75374a13c27355cfb2542ee323344a9b6d65be837d6fd46d1d0eaa0a3fa41dd810c5278da7b658699bd7782a345f883

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
59KB

MD5
a215fc1069b0f7c74bc6131d1fbcb226

SHA1
fba49a268c0d384483a7f4d507ea5759d9eddb9b

SHA256
e0e032e0d48c142121d4b50dc30961b537df8dddecd62c1d975cea8dcb6120b1

SHA512
e20a4b05ab1d4067c0082a98585fe9055f52100db11ad89c4d99abefbd4c3c235cf2f095412b0e8dde9dae4dbe7db26ee5f3395665b80229ed623899770e88c4

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
59KB

MD5
99aa6b737782e1a33fa5c39299a2e97c

SHA1
d73fcfa1695b62e18bca03c17aec6351c2e0a131

SHA256
ddbdff6a06a74f1af1ecbca0524556ee72634ee9ef5543b4dfc4a1e038094e3a

SHA512
1b37b97b720481caa27528c6b0e1c62b301734166513694f2a797fad3abdedd8b2245c2a22e16f43efa2d8fbaaa2bd00148d7bdf938429ac0c66210051ed962d

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
59KB

MD5
220a28a7f3b92773b3603adfe3a3306a

SHA1
4be018d9e306955a1d29c823ad1ffe8ef02c604a

SHA256
c560bbc6c3e3cfe36002ffb903aabae78126f9c49847cf27602da46c0d341e7d

SHA512
22b994cf4fa36e5d84c2ff7d103d201c439b09e9bf9821e50c32ec7509ed214577eec7c1d1b7eb5bce30ec7bd700e25c0560d5ccd7fbea3af8e0e5d036091f18

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
59KB

MD5
e62156a4aea874ef177ed221022446ba

SHA1
151a98899e85e43d6672cdeb9f9e98afb27e02a8

SHA256
852d3ecdc732d03b37151a9de5e09c2337d2caf951d5534dd10ccb886ffc5750

SHA512
014505902dbd6c4da19fa4a19ba78dfaaec89c18a3d931af10e85972ccd147ebbabc5f4a8fae2982dccb404a41df58712f4642a4a6761c642501d602b10cf4b7

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
59KB

MD5
f5cceb103ffe9125777e082804562eb0

SHA1
19ac845d7db2858d5179a92e64b9303fc13426ea

SHA256
e5f2ed9f75cb5a300b1f3375dd146743006c783a39b426f2c169fe13c13acd65

SHA512
d70fd04bc31f7456e85c80901d938b2ffc01872f4b34b429c72340b37e6bec226cc87354f6b558a5e9d4e621058db36fe008ed50c2adbb6b30ff238c4424113c

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
59KB

MD5
c69af3dd03fdd6c18a7e2829417b0b42

SHA1
1c8801e81f2ea725f15805cf05653e1e65c32926

SHA256
8b5723ac12d8b4338b211692473758c11267a23fea9cba89afd9a7db1668da46

SHA512
378ff7d5c008f50ae2d96f5885b972e3b45f2fc368e69f822117f9a6635f6736afe02314d4679d98b0c9caa96671bc17099c62f67564643452d0557043505c79

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
59KB

MD5
8982fcc37691c193239ecd5b6b7b40be

SHA1
f1a679cf07512f0d215e1b639367520c1ed04bd5

SHA256
03a2551e2c660c6f159057caf4031d94fa848e5245b5aaa6f919a015c70388e1

SHA512
7080cd7ccf47204ece025b08b465a19cdfd90dd3fa2f78738168508eca181f60df4693a71d8b367dee3c5c139fbb00d96b6b733624e0af4223d3c2e5336d6931

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
59KB

MD5
22c3081b7310f2aab9b7bd1c80a363ca

SHA1
4027636cb6c6076f969184d24864405cfa9bbac9

SHA256
070be16d561db7d485fd160a04a2cd7e6e72d6f6d08c805eb8d5e8adbba33a99

SHA512
553440ad092518415449e5f443c4c8e2a184576110ad651b3415d0cb77cb7e7ef4198af9ac68b77be6e8481fc62460bd649874c1d15d0bb5ad470d5535bedcb4

Download Submit
memory/372-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/372-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/496-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/496-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1008-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3740-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3748-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3748-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4100-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download