berbew | adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Size

72KB
MD5

0f9a1988d13c9c4530791c5ff81ac023
SHA1

f4139a24ffdc34dcb8fdad1d585f287aaa36d831
SHA256

adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15
SHA512

da12e86bc21d624a60becdb6d71422cf5c38204fa3fab41bdde77e321cd7de69e428de0e3c15e454c162a6667f6b0a5f071ff6408c8d8f3b591c480b4a06aec3
SSDEEP

768:ONEaPyHnWFGfYPRHv0F/ca43Mn03CvDiC81JmiaISH90SGLhjQ/6DAv8Q5:iPKWsov0F0HMn03U43and0SGLhj06q

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Odhfob32.exeQodlkm32.exeadbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exeNadpgggp.exePfdabino.exePfgngh32.exeQeohnd32.exeApalea32.exeBalkchpi.exeCdoajb32.exeOhhkjp32.exeOappcfmb.exeAecaidjl.exeBnkbam32.exeBbikgk32.exeBhhpeafc.exeOghopm32.exePqemdbaj.exeAjpjakhc.exeBjbcfn32.exeOhaeia32.exeQngmgjeb.exeQeaedd32.exeBbdallnd.exeOnpjghhn.exePfikmh32.exePkidlk32.exePokieo32.exePomfkndo.exeNhohda32.exeBoplllob.exeBkglameg.exePmccjbaf.exeAchojp32.exeBlaopqpo.exePgpeal32.exeAjbggjfq.exeAeqabgoj.exeBnielm32.exeBlmfea32.exeOancnfoe.exeQgoapp32.exeCkiigmcd.exeAfiglkle.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhohda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

Processes:

Nadpgggp.exeNhohda32.exeOhaeia32.exeOdhfob32.exeOnpjghhn.exeOghopm32.exeOancnfoe.exeOhhkjp32.exeOappcfmb.exePkidlk32.exePqemdbaj.exePgpeal32.exePokieo32.exePfdabino.exePomfkndo.exePfgngh32.exePoocpnbm.exePfikmh32.exePmccjbaf.exeQeohnd32.exeQodlkm32.exeQngmgjeb.exeQeaedd32.exeQgoapp32.exeAecaidjl.exeAjpjakhc.exeAchojp32.exeAjbggjfq.exeAmqccfed.exeAfiglkle.exeApalea32.exeAlhmjbhj.exeAeqabgoj.exeBnielm32.exeBbdallnd.exeBlmfea32.exeBnkbam32.exeBeejng32.exeBjbcfn32.exeBbikgk32.exeBalkchpi.exeBlaopqpo.exeBoplllob.exeBdmddc32.exeBhhpeafc.exeBkglameg.exeCdoajb32.exeCkiigmcd.exeCacacg32.exe

pid	Process
2156	Nadpgggp.exe
2704	Nhohda32.exe
2932	Ohaeia32.exe
1928	Odhfob32.exe
700	Onpjghhn.exe
528	Oghopm32.exe
2108	Oancnfoe.exe
3020	Ohhkjp32.exe
2920	Oappcfmb.exe
1644	Pkidlk32.exe
2536	Pqemdbaj.exe
1264	Pgpeal32.exe
2096	Pokieo32.exe
2196	Pfdabino.exe
2248	Pomfkndo.exe
1308	Pfgngh32.exe
1848	Poocpnbm.exe
688	Pfikmh32.exe
692	Pmccjbaf.exe
736	Qeohnd32.exe
2580	Qodlkm32.exe
1772	Qngmgjeb.exe
704	Qeaedd32.exe
880	Qgoapp32.exe
2684	Aecaidjl.exe
2940	Ajpjakhc.exe
3008	Achojp32.exe
2708	Ajbggjfq.exe
2844	Amqccfed.exe
632	Afiglkle.exe
2912	Apalea32.exe
1780	Alhmjbhj.exe
2896	Aeqabgoj.exe
3044	Bnielm32.exe
2744	Bbdallnd.exe
2276	Blmfea32.exe
1440	Bnkbam32.exe
2032	Beejng32.exe
2432	Bjbcfn32.exe
2060	Bbikgk32.exe
1760	Balkchpi.exe
2132	Blaopqpo.exe
2472	Boplllob.exe
1700	Bdmddc32.exe
2408	Bhhpeafc.exe
824	Bkglameg.exe
1052	Cdoajb32.exe
868	Ckiigmcd.exe
2716	Cacacg32.exe

Loads dropped DLL 64 IoCs

Processes:

adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exeNadpgggp.exeNhohda32.exeOhaeia32.exeOdhfob32.exeOnpjghhn.exeOghopm32.exeOancnfoe.exeOhhkjp32.exeOappcfmb.exePkidlk32.exePqemdbaj.exePgpeal32.exePokieo32.exePfdabino.exePomfkndo.exePfgngh32.exePoocpnbm.exePfikmh32.exePmccjbaf.exeQeohnd32.exeQodlkm32.exeQngmgjeb.exeQeaedd32.exeQgoapp32.exeAecaidjl.exeAjpjakhc.exeAchojp32.exeAjbggjfq.exeAmqccfed.exeAfiglkle.exeApalea32.exe

pid	Process
2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
2156	Nadpgggp.exe
2156	Nadpgggp.exe
2704	Nhohda32.exe
2704	Nhohda32.exe
2932	Ohaeia32.exe
2932	Ohaeia32.exe
1928	Odhfob32.exe
1928	Odhfob32.exe
700	Onpjghhn.exe
700	Onpjghhn.exe
528	Oghopm32.exe
528	Oghopm32.exe
2108	Oancnfoe.exe
2108	Oancnfoe.exe
3020	Ohhkjp32.exe
3020	Ohhkjp32.exe
2920	Oappcfmb.exe
2920	Oappcfmb.exe
1644	Pkidlk32.exe
1644	Pkidlk32.exe
2536	Pqemdbaj.exe
2536	Pqemdbaj.exe
1264	Pgpeal32.exe
1264	Pgpeal32.exe
2096	Pokieo32.exe
2096	Pokieo32.exe
2196	Pfdabino.exe
2196	Pfdabino.exe
2248	Pomfkndo.exe
2248	Pomfkndo.exe
1308	Pfgngh32.exe
1308	Pfgngh32.exe
1848	Poocpnbm.exe
1848	Poocpnbm.exe
688	Pfikmh32.exe
688	Pfikmh32.exe
692	Pmccjbaf.exe
692	Pmccjbaf.exe
736	Qeohnd32.exe
736	Qeohnd32.exe
2580	Qodlkm32.exe
2580	Qodlkm32.exe
1772	Qngmgjeb.exe
1772	Qngmgjeb.exe
704	Qeaedd32.exe
704	Qeaedd32.exe
880	Qgoapp32.exe
880	Qgoapp32.exe
2684	Aecaidjl.exe
2684	Aecaidjl.exe
2940	Ajpjakhc.exe
2940	Ajpjakhc.exe
3008	Achojp32.exe
3008	Achojp32.exe
2708	Ajbggjfq.exe
2708	Ajbggjfq.exe
2844	Amqccfed.exe
2844	Amqccfed.exe
632	Afiglkle.exe
632	Afiglkle.exe
2912	Apalea32.exe
2912	Apalea32.exe

Drops file in System32 directory 64 IoCs

Processes:

Bjbcfn32.exeBhhpeafc.exeadbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exeOdhfob32.exePomfkndo.exeAchojp32.exeBlaopqpo.exeCdoajb32.exeOhaeia32.exePfgngh32.exeQeohnd32.exeAeqabgoj.exePmccjbaf.exeAecaidjl.exeApalea32.exeBnkbam32.exeBbikgk32.exeNhohda32.exeOancnfoe.exeOappcfmb.exeQgoapp32.exeOghopm32.exeQodlkm32.exeQngmgjeb.exeBdmddc32.exeCkiigmcd.exePokieo32.exePoocpnbm.exeBbdallnd.exeBeejng32.exeBalkchpi.exePkidlk32.exePqemdbaj.exeAjpjakhc.exePfdabino.exePgpeal32.exeAlhmjbhj.exeAfiglkle.exeBlmfea32.exeOhhkjp32.exeAmqccfed.exeNadpgggp.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Nadpgggp.exe	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
File created	C:\Windows\SysWOW64\Onpjghhn.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Odhfob32.exe	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Ohaeia32.exe	Nhohda32.exe
File created	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pkidlk32.exe	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Oancnfoe.exe	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pnalpimd.dll	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Lgenio32.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Nhohda32.exe	Nadpgggp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2812	2716	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pfikmh32.exeBoplllob.exeCkiigmcd.exeBbdallnd.exeOghopm32.exeQodlkm32.exeQeaedd32.exeAjbggjfq.exeAmqccfed.exeCacacg32.exePfdabino.exeAfiglkle.exeAlhmjbhj.exeBlaopqpo.exeBkglameg.exePgpeal32.exeQgoapp32.exeAjpjakhc.exeAchojp32.exeApalea32.exeNadpgggp.exeBnkbam32.exeBnielm32.exeBjbcfn32.exeOhhkjp32.exePokieo32.exePomfkndo.exePoocpnbm.exeQngmgjeb.exePfgngh32.exeBlmfea32.exeBeejng32.exeadbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exeNhohda32.exeOhaeia32.exeOappcfmb.exePkidlk32.exeBdmddc32.exeBhhpeafc.exeCdoajb32.exeQeohnd32.exeAecaidjl.exeAeqabgoj.exeOdhfob32.exeOnpjghhn.exeOancnfoe.exePqemdbaj.exePmccjbaf.exeBbikgk32.exeBalkchpi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhohda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaeia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe

Modifies registry class 64 IoCs

Processes:

Boplllob.exeBalkchpi.exeAfiglkle.exeBnkbam32.exePoocpnbm.exePmccjbaf.exeQeohnd32.exeAjbggjfq.exeBeejng32.exeadbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exePkidlk32.exeQgoapp32.exeBhhpeafc.exeNhohda32.exePgpeal32.exeBlaopqpo.exePfikmh32.exeOnpjghhn.exeApalea32.exeBnielm32.exeBjbcfn32.exeBbikgk32.exeOhaeia32.exeBkglameg.exeOancnfoe.exePomfkndo.exeAlhmjbhj.exeBlmfea32.exeCdoajb32.exeOdhfob32.exePfgngh32.exeQngmgjeb.exeAmqccfed.exeAjpjakhc.exePokieo32.exeBdmddc32.exeCkiigmcd.exeQeaedd32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhohda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll"	Nhohda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll"	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeaedd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 2828 wrote to memory of 2156	2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	30
PID 2828 wrote to memory of 2156	2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	30
PID 2828 wrote to memory of 2156	2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	30
PID 2828 wrote to memory of 2156	2828	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	30
PID 2156 wrote to memory of 2704	2156	Nadpgggp.exe	31
PID 2156 wrote to memory of 2704	2156	Nadpgggp.exe	31
PID 2156 wrote to memory of 2704	2156	Nadpgggp.exe	31
PID 2156 wrote to memory of 2704	2156	Nadpgggp.exe	31
PID 2704 wrote to memory of 2932	2704	Nhohda32.exe	32
PID 2704 wrote to memory of 2932	2704	Nhohda32.exe	32
PID 2704 wrote to memory of 2932	2704	Nhohda32.exe	32
PID 2704 wrote to memory of 2932	2704	Nhohda32.exe	32
PID 2932 wrote to memory of 1928	2932	Ohaeia32.exe	33
PID 2932 wrote to memory of 1928	2932	Ohaeia32.exe	33
PID 2932 wrote to memory of 1928	2932	Ohaeia32.exe	33
PID 2932 wrote to memory of 1928	2932	Ohaeia32.exe	33
PID 1928 wrote to memory of 700	1928	Odhfob32.exe	34
PID 1928 wrote to memory of 700	1928	Odhfob32.exe	34
PID 1928 wrote to memory of 700	1928	Odhfob32.exe	34
PID 1928 wrote to memory of 700	1928	Odhfob32.exe	34
PID 700 wrote to memory of 528	700	Onpjghhn.exe	35
PID 700 wrote to memory of 528	700	Onpjghhn.exe	35
PID 700 wrote to memory of 528	700	Onpjghhn.exe	35
PID 700 wrote to memory of 528	700	Onpjghhn.exe	35
PID 528 wrote to memory of 2108	528	Oghopm32.exe	36
PID 528 wrote to memory of 2108	528	Oghopm32.exe	36
PID 528 wrote to memory of 2108	528	Oghopm32.exe	36
PID 528 wrote to memory of 2108	528	Oghopm32.exe	36
PID 2108 wrote to memory of 3020	2108	Oancnfoe.exe	37
PID 2108 wrote to memory of 3020	2108	Oancnfoe.exe	37
PID 2108 wrote to memory of 3020	2108	Oancnfoe.exe	37
PID 2108 wrote to memory of 3020	2108	Oancnfoe.exe	37
PID 3020 wrote to memory of 2920	3020	Ohhkjp32.exe	38
PID 3020 wrote to memory of 2920	3020	Ohhkjp32.exe	38
PID 3020 wrote to memory of 2920	3020	Ohhkjp32.exe	38
PID 3020 wrote to memory of 2920	3020	Ohhkjp32.exe	38
PID 2920 wrote to memory of 1644	2920	Oappcfmb.exe	39
PID 2920 wrote to memory of 1644	2920	Oappcfmb.exe	39
PID 2920 wrote to memory of 1644	2920	Oappcfmb.exe	39
PID 2920 wrote to memory of 1644	2920	Oappcfmb.exe	39
PID 1644 wrote to memory of 2536	1644	Pkidlk32.exe	40
PID 1644 wrote to memory of 2536	1644	Pkidlk32.exe	40
PID 1644 wrote to memory of 2536	1644	Pkidlk32.exe	40
PID 1644 wrote to memory of 2536	1644	Pkidlk32.exe	40
PID 2536 wrote to memory of 1264	2536	Pqemdbaj.exe	41
PID 2536 wrote to memory of 1264	2536	Pqemdbaj.exe	41
PID 2536 wrote to memory of 1264	2536	Pqemdbaj.exe	41
PID 2536 wrote to memory of 1264	2536	Pqemdbaj.exe	41
PID 1264 wrote to memory of 2096	1264	Pgpeal32.exe	42
PID 1264 wrote to memory of 2096	1264	Pgpeal32.exe	42
PID 1264 wrote to memory of 2096	1264	Pgpeal32.exe	42
PID 1264 wrote to memory of 2096	1264	Pgpeal32.exe	42
PID 2096 wrote to memory of 2196	2096	Pokieo32.exe	43
PID 2096 wrote to memory of 2196	2096	Pokieo32.exe	43
PID 2096 wrote to memory of 2196	2096	Pokieo32.exe	43
PID 2096 wrote to memory of 2196	2096	Pokieo32.exe	43
PID 2196 wrote to memory of 2248	2196	Pfdabino.exe	44
PID 2196 wrote to memory of 2248	2196	Pfdabino.exe	44
PID 2196 wrote to memory of 2248	2196	Pfdabino.exe	44
PID 2196 wrote to memory of 2248	2196	Pfdabino.exe	44
PID 2248 wrote to memory of 1308	2248	Pomfkndo.exe	45
PID 2248 wrote to memory of 1308	2248	Pomfkndo.exe	45
PID 2248 wrote to memory of 1308	2248	Pomfkndo.exe	45
PID 2248 wrote to memory of 1308	2248	Pomfkndo.exe	45

C:\Users\Admin\AppData\Local\Temp\adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
"C:\Users\Admin\AppData\Local\Temp\adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\Nadpgggp.exe
  C:\Windows\system32\Nadpgggp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Nhohda32.exe
    C:\Windows\system32\Nhohda32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Ohaeia32.exe
      C:\Windows\system32\Ohaeia32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 140
        51⤵
        Program crash
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achojp32.exe

Filesize
72KB

MD5
93f7407b6c1fecccb00403f5233297c2

SHA1
a59fbbe13f361d9adb296511a727207598f625e8

SHA256
276b72a1164cac3ee34111f32b1ba9707a02328409a74b7a59fb084efb6d0139

SHA512
d019198f5338e9cd5140e5a5b95db562ad5fe49faec2db953d7ef0930edef0715c8c11010ba71b24a77834b426ccfd3b6ff07bec6e0f2b1890fea44cc6ff2418

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
72KB

MD5
e70f90cebaa00a358a9abe44e9dfb85b

SHA1
35bf35dbad9b92f0a2cdee0b77e9fe4ab024c4af

SHA256
3fbad08de5868572e84f5ed2d21f3623cbb915b05dfd822a94e04d21f7bce44b

SHA512
07bb451d252f956938d2f96faf42a1171d6253dda995160d6d2d16d737394edccdd68192251ece06de8812a589b5f151fe4b577c7b5b750efd8af9f5eb190dd4

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
72KB

MD5
cce34d977b3d93d6c050ec3826bbea85

SHA1
b0698da3992254acb08b9cfc9e96cbb9387faf18

SHA256
52b8ca05b82f9939c8980f62adbc86c63c0a193c0dd487193ced5ca2406d18b3

SHA512
52e20b44b31b620c96e0ab5cbc2b3a4e0c22633b0ac1ac7224f6f99e066a97dd494c6d7f76f86361860bf34741cf6e7080399c5dcb133d4c204c5af4e5d1b7da

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
72KB

MD5
255afacce6664d7d37ee4e55b853c8a3

SHA1
22f1e67e27b687e3b51baa4f9b3eeced267e29bf

SHA256
d96d43b03b82b3c953be82067c16a4d57894e6d07825cbde229a5ead6a878463

SHA512
4102288880330f4e3850f72d1be00184f4e4ac912421e1e64714b43da907229227f10ae1c918d1a3afc47d5875c01e011e028f7f955a19f9368f81ee565091dd

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
72KB

MD5
6fd73295a584d83215e3ad31358d5cbb

SHA1
655bc9bc49810049001799506605496cd3dc5ec7

SHA256
a99df26e39f7a7e36247eca84b2a8593c9f2e867a397492a9303b21dda603b06

SHA512
77b3d34fc46e9c5ab46ade3c3177ed9f28040449d1519f47e591313e8255645f7fdb60e53e25f71c40bf78b12f71ba2f8a686b7069a24c74273605f2d2fb44b6

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
72KB

MD5
fbfb1f9851d7c84b95098ac8134fcb75

SHA1
724805c6b68a01d665a1f7421a97f96f958a26df

SHA256
7345c4e5e6582370df705d77650cd45c719293dc090c9d9f05fa715c5f9fd951

SHA512
f657b689d7a7e28d714d2e3196d32eafc3f641dc49d56cea4f0aceeac88a177e80c4c146472da717c58db83cab7905e51db77205ee9783a2bd0624f11f57c5d3

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
72KB

MD5
26972bf7fe49719d1fbdde092c88ca39

SHA1
1da7550c8f63e3c85ff68564b0d17f4c53b03ceb

SHA256
7e46877a150bfb5eeb7c4775e73e5bcb0295939966f14dce4325a304bfdf28c3

SHA512
d8f6ebfa5a5b13e12aebb57e0c54735b8c91b5beb1cfe288c4d563a98b63f939d3645542e2a9a88d9daca557d44933d4864d5478e533812e4c5f2d68ced42595

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
72KB

MD5
1d9cb04a3d4bd39e0576d71f58ddded9

SHA1
1c2b641d6bf586c9df68c19065ca526f28322f93

SHA256
6607137043e03ea60ad9399ff9c258c60cc2c6085b98d5ae96cca909087b4054

SHA512
f3959a8e7092c34a96b918953cd28e3b421276ec4b4b09c13b7afd888af3a3ba4ca14b03864a6946ff7f81b45b1437ec85fc909b7fb7318c486120f2823e273d

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
72KB

MD5
28e0c7bbc2477b118738783d3562e15e

SHA1
0cc795b692ced8889fbe712a0ee566f63d9639a2

SHA256
c35764bf068ea241a61309d3a0241d4d0a1080a0cc74c362c18931bf22987e80

SHA512
e06b4c8c110c514e09afaa532647bc236ead846d9125f8c4cae6cbe67a04c79c382eb726a36976e1ce3d97d1102c6e3b8711cd3bef2b9d9ace743e518105c33d

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
72KB

MD5
7e21891d2e6640fc14595717105302f3

SHA1
2daa8f20af12db0bfcfcc92fbb055e17a89e51b6

SHA256
4ec36d9d0c65a0504c62f2427da83f0a2cc0c376f2f8c76ec1f8fdcef4480a0a

SHA512
1472f35c145b26b8099dee5c54f14fb08992dadb012017f510cb26e849688b55988d01f52c16ec931488e7e5600f8ce6412351ff87d980b3c83429db55b3fd20

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
72KB

MD5
7036a99810f6a1b147613ab52faa1518

SHA1
4f90b17cded13ae3ff9a234cc51802a5f13d8465

SHA256
3293d4eecc62cc4eef9d59d1ed648bd50aa33507db0fc5b982335e4a346aba9e

SHA512
f8764ef8c0ffe67bbe079ac503b3ac6dca15525c9a50a8f0a2b6e49893be984597d1c57fe87d0e0e6a48b18831c9e53b299338e1fa6d7a2980c2c09ee63c65f4

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
72KB

MD5
fafa6b214c6c1d69981b8afe1163f80d

SHA1
aa62de314e209ea43215aa85b8e492972290f099

SHA256
f4bb4a2e9cacff4db20cc021c31d9018f2470fc75f9a4a8ab5a5a5346df4a196

SHA512
5f4f2cd6fcefbdde7cd199e9663677fc859c49523179da77b854cb1d1d46d6e15c6d40c3f794f8dca6e741c0f6123f6f22ceac743e824871c02609cc4f87d996

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
72KB

MD5
ba62e42451680752a1fe9ea2720f1d6a

SHA1
edda27dd190f3507b30bc761c6190c91dbaa91bd

SHA256
756778212117b85c4c326e97dacf84759dccb88fb4366b8e7b2e1fbea2aa179f

SHA512
0f38311710359bdb34c9e4b36e69539cd61528b417072d2ac142ce05dcd2f30d40657dfa218eccb82212629eb64d3b5f579c06449934ae9825010a55eeeef72f

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
72KB

MD5
8816a1fa66ccd16f3350cf0eaee33b9c

SHA1
13b2f048dd95cd9087f38688ba075ef70033c389

SHA256
d080eb1e87d8bb9bdcc6c3ad093c0bebcbf790877fc6498480b1a4ce30a9d30a

SHA512
c58fe95c6afb7627bf91a5706af8d7a48bf46e9355b8e25119cd590186233a209279de46d61a9f447b24f7c023c9e4b93496ff2baeff46f36aaf99f3b358bb51

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
72KB

MD5
1ad8699806eb957278b95bc567aae45a

SHA1
8f79e80f63dbace9a4ec1097755a8966e581e41f

SHA256
1b4583a6d316c478a716edf46972287231bd9af4733dfc2c10509c67f4b4642f

SHA512
93590aa71f57cfe026d787b005a5257d25082d10fb0e185d9086c644f1168f443f87e4e2fa23ccf7b09918793b1e28ad0a2b0091839b0bbb4226874ed9a8a1e5

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
72KB

MD5
96d5816bbf68475a22517e4243c1a73f

SHA1
0f0fff44fc2089fb47847efc539221ea2fe3f14f

SHA256
01b839e5278fcf1b7c09a7a00a2511b7dfb359f8b0f439c21cc58e6882a55bbf

SHA512
1705af7b559a8aadac5d87a1510587f7da972da442f1cc1b8b3a1b3125db76a5f7a95adb468bb6b1cc568cf3215faac0a5581570db2cab3239c5f56499c0d3c0

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
72KB

MD5
a0e8412f3626490f1845b61bdf3b0490

SHA1
f1eef9c963ecb0047f363c33cfc4942673ced072

SHA256
538b151dbcd1b41dce486f3ca2584cdf1438e356f8e579e12719121214ef1c50

SHA512
e29f8d80adb8e9999e1f18a589098b32888af47d8e0b794d417b45acaf6ff9353dbb7cc80cd7e5daac297cd959c7e4396a44a0b002e1168913461a733bb04838

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
72KB

MD5
c7427e7572292dd0ece9efa3269c85c0

SHA1
d273953fd9b86987e71b57ba17fa1a5bb02c2b8a

SHA256
1061d419abe5e9ab5b17164da0ec0f6aefcf9073d42b3e9ec636a42e615fee45

SHA512
3126e3752319f326174a66f54ec9cc18890f251ff047ca996eeee524b4f9993e2b4c2d4491edbbcb19c1b04a5abd10a1d32e3cfd719aea67191671fe9052e3bd

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
72KB

MD5
111912e3b31fe7eafe3524650d7aaf47

SHA1
bf34c06b8ee8e17e760c85d093f973a21601cd89

SHA256
0732865af7ac22a1e09a764fa5900538648a003392c8dab33d19383389b26626

SHA512
c3df9ad5aa2a8dbc10ad012aa31e1d18128b6f0dce99eabda5b6c7210194a8d772ea73e479ca3448bb474b35d2f7fae50339483c8cacca91f20c2657e6387c27

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
72KB

MD5
791a8210093de8ecee9096d219fe54ff

SHA1
1b66d63014b0043a20ef0e463f277a04d0a188bc

SHA256
f6556792ee747f9f8945199c23a88b6b53efa59cfd1abf4d173a2bbb75c7f01a

SHA512
10f3d3de5bddbb36f57ba6daa52d6a98a640c43476eec3757a4eba503045441e5b8b52748d4a3747b44b09ca13fe6e78ee0f0b63adb529c3b6b76bc0f9863f6b

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
72KB

MD5
3890cc37bd83c35f2bc4e4d23b435454

SHA1
2d22d0f3d9bb5f42e0e18b66e561774c3423f1c3

SHA256
dc8a2fea1213c24ef0eba2f4f625ff250170a2bb015963ca5555832b964750de

SHA512
19c2e6b525f1503c7a39ac8bf05edeed8ec9d715a42249758a8de7d19abc05e8ee6157aec6d12f6dac9320470aef5d87e218dcb15b16a8ef64d5f2ff6c41ed53

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
72KB

MD5
d0b4e02e7342284d63c95fd4e19dd995

SHA1
df251797de94d29c656a4694c2177dfa4cf24e4a

SHA256
391e40fe87633222bd1a006bc31370303550ca946e89e105d4c0be333ac819a9

SHA512
04590866dcd29888c17e87db2a0fa48020be11d07582da92c38111c328948805f0597376efaa86f35442b2e6e604e3821af2d3429966b76984314539d2e191c9

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
72KB

MD5
6dabb8177a4d2d928a081168ba4a75fc

SHA1
966d0a365f0bc29b364d74e8445285c220858933

SHA256
f6d0685112f11f2118bf85b516b441c2dc8612149ce14fba3ec16f948479c267

SHA512
eb6b666a2ea89faab877414570ed4fec9d22035f5448d1281feac07ee48df3b13b92d9312658987673f27df7cc08ec31fb0c0d058bd84746b09d9c7ec73d92a6

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
72KB

MD5
cb97b8a0937b0816a9e4327ad904c00a

SHA1
a7882d5439ec846795d02f2fae4523116c09bc99

SHA256
93b64656905359730ab8e7a4bdbfdd283cf627657604b0b055abaf8566b663e4

SHA512
3136950aa6427b91978d58c41c4a781167a8e6c7c792fc3f19303d1eec32a746c2e6d5feb9bcce83b0b236cc2dd219aa9f1a200cba9dbe7570b89e3aec2cc745

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
72KB

MD5
d3550f07c5c0376aebdd5fb415d9fbe2

SHA1
d69efbccf8d8e92cd6fef5d73bf17cb2c26f6370

SHA256
e4e626c0f2b0f614cbe7cbf96d9c347600cada28d69cd5bcacc068ad9a5b71f2

SHA512
400d6ba0f9ca8f32e76983b004417bd5f490dc423cf0e65706765bf226a16ac571add4911bcedd23f3fe51a15471cb9514495403c1145759e5e2ab9148be7b79

Download Submit
C:\Windows\SysWOW64\Lgenio32.dll

Filesize
7KB

MD5
ba3e61eaed70830fe090170fc3ecc4de

SHA1
bf7894e3b28b756a68809b3a366a710a21133cd5

SHA256
75ca39f017c5822034041fe578ad6ba6b9e00febe1edcd7099fe7541f30128b8

SHA512
5169e0d7cd4dd9cde2d2bc8e4c51812098117fe9d7c325127651efd7722ba17ed0d4e45ba818a432d75378a6f1174b9b78342fec8ab3b1ca467e667e5f20e27a

Download Submit
C:\Windows\SysWOW64\Nadpgggp.exe

Filesize
72KB

MD5
1ad420f6f8aa58c52281d31d6d52a829

SHA1
33c75a13196c2db676c5b3236fee540cac5aa022

SHA256
6d4939ab44406e7c2075629a8abdb731c60a8e05bcae0b0d065eecd1a3df4ad2

SHA512
39cc504f53b4146ee18738e169ec5f0fa7539a5780cb5a60db253230cc2de8ed280b60094ec996ceb953f030fabdca4069871ec03a1510de7a6727fe68fe43e4

Download Submit
C:\Windows\SysWOW64\Nhohda32.exe

Filesize
72KB

MD5
c03af476e86c8ee9758f0a0e49698f07

SHA1
f8fcb120da563654cdf830a2af404d15fc7afd05

SHA256
a4f3cd93005fc28c677e25132f45d0026b5842c0180191810759e630bbd84096

SHA512
7ac4e5f0e9974fa80d40576d05d012ddf492a18f27b8940af0f386280a808b3edd4b8c0071867e251310ffd57e7a004ad285e4db380d9ff1488f33e58dabc2f1

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
72KB

MD5
980a83518cb726a15180e7e4be2012a9

SHA1
178b108946d935fc954c3c6934bb18653708d320

SHA256
ac1b6beaad80f4ffe921aa35cd20349e3d736b775e6e0f6c51ae0fd179ed6959

SHA512
278f6cc6f01d944f2590eaa1248f9832ffaf0fb4b0dc732025f04fa8e2d75d4682ad7a8b58adb613de9217c7ff28db05290679b0d58a6676e38caa54387c3f5a

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
72KB

MD5
903a915935bf7963bad348a65127bab4

SHA1
5830b83f6f87b8e0614d0577bf45de11a867082a

SHA256
041356640739e73f66987b71dba94cf6499c823a33eaa1b99875daa2af76cad8

SHA512
ee204cb3ff00837405ae5ac18db541c7eafc504325ac839e599daa369d9e70afd540834be550693157b7bd8f2b4eb99c8ae64f1dee90995d0a8e01c8ddf4e6e3

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
72KB

MD5
6f87ea3493e6c30e149afda910d6d152

SHA1
0bd03870e2df68408afff3fc7386be9b86be5e3f

SHA256
35d1c9b54d28f15756bd1d5dc067e7a7384cd88ad3eed64b87f41a67164c8c12

SHA512
c2bf18cd1a907d27327c535d42daaa5fb4a4249a1f53191739cb4268d9ba7e098d037c0538e5c5a8e9a58f0b6c1feced16ee833d4d9c2618ff4f68d984257e74

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
72KB

MD5
60ba075a627dac582e089fdbb0b64e2b

SHA1
9fd04745e9873bc2768a8641d92fccdd654f6e39

SHA256
a7b38cf12f983c561ac89c4cbc7b76c3adf7d8d50c3908859d1c6e4ec3ffc5f2

SHA512
ae5b3e0dc90e3f5b71d661c50d116c07d6f075f586152cf25208dee5a61d0d82a5cf7c944dabab9319be719b91711eef127fa162a988ff17953daaf4c20033c2

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
72KB

MD5
8dadf5b35294436c727645d72d56ff3a

SHA1
090f17535d082fd361341248247b37ddc7f10f71

SHA256
cad3d1d22e898d3d08ded8d953744171820b9d17c4edaf2b9eb84587417ef9da

SHA512
d94076630f0fd54dfca9b42ae4b4b2878c1d7954411a1ea64b3ed9fb8cc0c0e6755cfe3842ea47df8d2316c02fa9fbcb7e8114f70a6ce8b8b13715ff4656f02b

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
72KB

MD5
1dbae2efebac8344851b26d1399beb8b

SHA1
727216527b62cf52859de60b5c7c8cf994fc644b

SHA256
a6315a151ed17f536f3e013b027d072b44e7a462e3393351d4011cb1f4541fc4

SHA512
0c3bbe9b1ccb1de4eae2d82f331ca3c9f9d94ff522fa6691852d35779d962f51bb49d6bb9d482d2759c3bd0efe76e6e6029694de6f75285aa2499ef80f9d0381

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
72KB

MD5
865f67a3410c54e7c3a20b245390721a

SHA1
d33fab8811f846fd9de0a0a692fdd4ae127e7321

SHA256
c8fec7468c952ab03c13ac416e4d8d3f40b1d451bb0b536c8a2298d72446a0b8

SHA512
eafbc610663a32067052d4e1925eeeb95d4b8fc29835b31762c1f21f2cad53b59fba33433bacf80b013b33a7c124e682f2418ce0366c3f1544646fe49ff2d3ac

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
72KB

MD5
720f932f3993d163db054566725e9854

SHA1
c891ca0727921721540cb0e51406a27375c85e25

SHA256
f0ec88f71f51618ce51d79ffebceb4caad7efaf2de499d2d55f91cd28a40932b

SHA512
0dffde3956903eea7588658d94b5243d2c10a9af90ec38659fa60b7537489927820c9d09dbf9e74ec9c95333a1f312230adfc228df5d43700198a51cb18ef8ed

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
72KB

MD5
908eeac70e7d977809f9e4400b27dbe7

SHA1
cfc796e2eb8e22c4b95fe5efe14a0cd3bede7032

SHA256
4992ae71cbbdf4e56a0f956554911cb8789b40d6e28ac353f0e2178157dd9eb8

SHA512
012008704d188145f71d430d0b382bb16087071355a18dde5bea58bafa1528e28a5c4246040a7da29843d5b205e3fa15f5559a88652b06fbd137102dea43a624

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
72KB

MD5
7a8aff57b1740a88ac2ea5a2cd419290

SHA1
fd70d6a6473c1fb596183414b8c200cc80fb6268

SHA256
b16d5c5953e6eb3f02a244b836e0d61f0f9a47f284c24012bcac4ed7cf08cef7

SHA512
3dbc49073678672146d67c46acf7c23f82d61b2617a3fe888826c9ace4a23b432fd4e292a40cc09b593b2739b51474e78387f70b409a442a9aeb7e7127e41dc2

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
72KB

MD5
349ea7b820e077effbe59281d2dcb0ec

SHA1
3ca66d995cb6f87a8a48f591ee022755ee7553e3

SHA256
e7aea33a1f9f5e912549869b5eaa1432fc30e54661aea4d8906aaafd689eb937

SHA512
02a4b14eea1267708780bea163734cb8c3aa286f4ecf918047a2fe35f1875f57dc8cda6d1315429d396920c62aaec0629c132fc7c0a2ad4dd61059c453de80b0

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
72KB

MD5
9ca204b9f8ba9068b028b0ddfcc48437

SHA1
39ab054485f82b18bbf37f7aa01f3e403a2ae75b

SHA256
e0d190c66cfde61052e55f8b045e8e1f7a5e1d855d52239581f769b8b1ebeef9

SHA512
21f003b567c2d279c1a600b816f6c654ebb539369177a8da69ffa6be404ecefe4685cfad16a2dff0d6f9c3f2d490c68b1fef36d392a2959b1203b3feab7987e0

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
72KB

MD5
94619affe2202aa14e727ad5ec190f04

SHA1
3a6ee340b8e632dacabdad92b0ef541728e109a6

SHA256
df3d360929c10a95c7ad1c510aec31121529733a19b87f26b50ee9312f3767ae

SHA512
d96324bd48ae4de68a483a2b0dbe0eebbd096a7b1a5e920c3160405318f2e53ee5005d911292435cf90121241ebe9aaf3006fa500a5e5d4368808ea9f607747b

Download Submit
\Windows\SysWOW64\Ohaeia32.exe

Filesize
72KB

MD5
84834e5c598ad1e90aec6519764843ce

SHA1
851de13f97c2f3bddb67187e72668d80a585b1a8

SHA256
ac63d7197ab757717595510ae1f5ac32a96eb4cca40b3c39e84da49f29564d52

SHA512
fb75e2b516533a23c9ca91e65c2f69b4fead34f9ed3ca8d9dd032e241ab2132bfeee97ff30ef04c2cf2d576db36d43714972d84af699215eedd4c6c7532630ed

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
72KB

MD5
dedb363a65cdb078f1a7ab8b1ef74dc2

SHA1
a49bc9d17d2f5501d511a1f5fd8e8b59816fceed

SHA256
af48e5dbb5da741040a9ac019cab1186bd820794001c26d3bdf52407abebf240

SHA512
513dccb7034b3640f0f1d7f31f7b8968227f4035ee319f002b31ca232285c8329cc4db0ee781016cdb55484cb43fe071d10487829b21e0316aa5e75c540ed8a6

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
72KB

MD5
e4142037a1212e2afef4addec5684a7d

SHA1
c781a07df6020a71141de05ce5024cfddd266b46

SHA256
aa8f9423f8807f09cba3d0f98bd0182904ea4571ba35ba5ab487bc654b7dc918

SHA512
a1a183a0c2e7cf8f5a70a10e0284aa2a757ed50376908979dbadef5db424fccbdc88b069971a41ef5b68ff1a36ab689248eab2e1da3e2b496b83808b0d052f87

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
72KB

MD5
d797d093fb1408b745b41b64ba1ea622

SHA1
4f3edc312e82cdfb12d2db32ad0528d1e735acd5

SHA256
dfaa74b6d3c9df1bb8047fa5a787de5315d8819ea18e303fafc4600570bf9b77

SHA512
ad0652c0accdb13c65c3b8b119268f4f28d7933a42747164a359a3c139f3ec953fa5627e5b5a96370d8aef135565072eb66545d7f17e2b92e3eebbffea8c302b

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
72KB

MD5
db0c12e3cc4776d3cde8d6237f7e8222

SHA1
918a768ef7e5da457b10098f5bef2e8538e11d94

SHA256
4276716b1b28345340c9d7e3d0c7eb5e03e13cf845d6ccb09b10f984d7fdb30b

SHA512
66fdeddb62ab7013dcdfcb4131ec26c264492a6a1cca257a6465243ef1c91694e890ebd0ea49bb7e0b4dbdc97bdf17eb68fbbcea6c614134646ccf610460399b

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
72KB

MD5
e349cf9605f975075aaaa11752301fa6

SHA1
cb0956f4386dd17c05d2224fc92fdfa69c32e1ff

SHA256
7d35f60132bb214fdefac15340c1dd8ffc0e59f181c25d9fb3ede7488b8beee2

SHA512
88e80e5b9162a9d3ff9319efd48aab2823f0a624518372ef7a51ef15c3068516f638cc92fcd41325f020a70e08e2748bbc3b0d2761fb9a4df59fa64aa4040cda

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
72KB

MD5
a845ed23ea1f0199886c7fd136be8f05

SHA1
4ca50fffa99e70036f4443e5df7a439ccb5bdd91

SHA256
c2c841e8c9cb11b2c2c422928ac2774a8bdffb02e80c565277b9708f5c5a6f84

SHA512
27b97b1d973117df6626ba99965c9a5291fad297ed9b61c389fb2f14cfe4fb34c950778ed574679b5f63fb72671a48f093dc320de5f96bcb64c571b3561c5e9f

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
72KB

MD5
443cc7ad07918754fa6d6ab8a411ccb2

SHA1
9c89f5ce2592e771e7341b0be4b2c0fa95f048c5

SHA256
177b3059601cb0391c8e0bb6b0d6c464c6c90eb2c19bbb32664b2418fa55ecb1

SHA512
e152965623135d7ecc77e221c0bc83bfede5a6c872e014f35a1b2d581fe7a52b91f8c7a11146f291d296bf7bae5ae8dfdf4ccb8811f98def3c4c2b4d66a26b1f

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
72KB

MD5
2ad4e55723cd2eda6c6e8f58d3a8f9c8

SHA1
9ebabd75d006e2a96a4ec9cd664a20e500d413cf

SHA256
ac72d879789fed77f5343b9fd5e4b4b8281ed8457d7c34ded53eed6027b265e3

SHA512
0a7fa1edec72ff1ac1b0ef304062c1f0d0ed2ed00459e194bb56b089d5637523836d667caad6ed97cc84385959c93739b235c6fdc58aa0c6db5398b347ef998e

Download Submit
memory/528-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-87-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/528-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-365-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/632-367-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/632-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-235-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/700-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-286-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/704-287-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/736-254-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/736-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-535-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/880-298-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/880-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-294-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1264-165-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1264-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-221-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1440-443-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1440-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-511-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/1760-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-482-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1772-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-276-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1772-272-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1780-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-390-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1848-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-60-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1928-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-65-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2032-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-493-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2132-494-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2132-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-196-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2196-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-504-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2472-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-308-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2684-309-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2684-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-343-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2704-359-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2708-341-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2708-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-422-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2828-17-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2828-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-354-0x00000000006A0000-0x00000000006D4000-memory.dmp

Filesize
208KB

Download
memory/2896-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-377-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2912-379-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2920-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-366-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2932-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-319-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2940-315-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3008-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-329-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3008-330-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3020-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-113-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/3020-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-411-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/3044-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-412-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download