berbew | cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe
Size

72KB
MD5

d5d53d80690752a31a238d08b7bbc9b2
SHA1

036eb583b8996e0ab39fc1811afa76533221d408
SHA256

cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c
SHA512

e336d3cf266d2d8389eff8cd2428c19692bc1e37f8d59e3ca024ecf1e24eb0e748ea0e98a5e26a5eacfa7f34ccc15d6bd9b65494dabb50adbd0149bdeb5abef4
SSDEEP

1536:46+69QiBZOaQ/aRPfMcp+nXe4DpPI5rGzrfAnNW:4R69Eel415kYEN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Olcbmj32.exeOncofm32.exeAccfbokl.exeBnbmefbg.execadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exeBgehcmmm.exeDmgbnq32.exeAepefb32.exeChmndlge.exeAjfhnjhq.exeOcpgod32.exeQddfkd32.exeAnmjcieo.exeBcoenmao.exePjcbbmif.exeAeklkchg.exeBgcknmop.exeDeagdn32.exePcbmka32.exeAmbgef32.exeCeqnmpfo.exeCagobalc.exeCjpckf32.exeDfpgffpm.exePncgmkmj.exePgllfp32.exeAjhddjfn.exeBmpcfdmg.exeCjmgfgdf.exeOpdghh32.exeOgnpebpj.exeQgcbgo32.exeAcqimo32.exeBnhjohkb.exeOjaelm32.exeQceiaa32.exeAcjclpcf.exeOlmeci32.exePdfjifjo.exePjmehkqk.exePggbkagp.exeQjoankoi.exeBnpppgdj.exeOgifjcdp.exeOjgbfocc.exeOdapnf32.exePmannhhj.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Olcbmj32.exeOgifjcdp.exeOjgbfocc.exeOncofm32.exeOcpgod32.exeOjjolnaq.exeOpdghh32.exeOgnpebpj.exeOjllan32.exeOdapnf32.exeOfcmfodb.exeOlmeci32.exeOjaelm32.exePdfjifjo.exePjcbbmif.exePmannhhj.exePggbkagp.exePjeoglgc.exePcncpbmd.exePncgmkmj.exePdmpje32.exePgllfp32.exePnfdcjkg.exePcbmka32.exePjmehkqk.exeQmkadgpo.exeQceiaa32.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAcjclpcf.exeAjckij32.exeAmbgef32.exeAclpap32.exeAfjlnk32.exeAjfhnjhq.exeAeklkchg.exeAgjhgngj.exeAjhddjfn.exeAabmqd32.exeAcqimo32.exeAjkaii32.exeAepefb32.exeAccfbokl.exeBnhjohkb.exeBaicac32.exeBgcknmop.exeBmpcfdmg.exeBgehcmmm.exeBnpppgdj.exeBhhdil32.exeBnbmefbg.exeBcoenmao.exeCabfga32.exeChmndlge.exeCeqnmpfo.exeCjmgfgdf.exeCagobalc.exeCdfkolkf.exeCjpckf32.exeCajlhqjp.exeCegdnopg.exeDfiafg32.exe

pid	Process
4356	Olcbmj32.exe
3964	Ogifjcdp.exe
3080	Ojgbfocc.exe
3236	Oncofm32.exe
2468	Ocpgod32.exe
4564	Ojjolnaq.exe
2344	Opdghh32.exe
2652	Ognpebpj.exe
4956	Ojllan32.exe
4548	Odapnf32.exe
1176	Ofcmfodb.exe
4784	Olmeci32.exe
3040	Ojaelm32.exe
1716	Pdfjifjo.exe
2328	Pjcbbmif.exe
3096	Pmannhhj.exe
2912	Pggbkagp.exe
4748	Pjeoglgc.exe
3548	Pcncpbmd.exe
1520	Pncgmkmj.exe
3184	Pdmpje32.exe
2944	Pgllfp32.exe
4536	Pnfdcjkg.exe
2548	Pcbmka32.exe
2396	Pjmehkqk.exe
3644	Qmkadgpo.exe
212	Qceiaa32.exe
3960	Qjoankoi.exe
2868	Qddfkd32.exe
3576	Qgcbgo32.exe
4084	Anmjcieo.exe
4584	Acjclpcf.exe
4540	Ajckij32.exe
4360	Ambgef32.exe
3016	Aclpap32.exe
1120	Afjlnk32.exe
2292	Ajfhnjhq.exe
4128	Aeklkchg.exe
1524	Agjhgngj.exe
1136	Ajhddjfn.exe
5096	Aabmqd32.exe
4068	Acqimo32.exe
4924	Ajkaii32.exe
3272	Aepefb32.exe
5084	Accfbokl.exe
5028	Bnhjohkb.exe
1512	Baicac32.exe
3376	Bgcknmop.exe
2492	Bmpcfdmg.exe
916	Bgehcmmm.exe
1344	Bnpppgdj.exe
5008	Bhhdil32.exe
3144	Bnbmefbg.exe
2968	Bcoenmao.exe
3012	Cabfga32.exe
3216	Chmndlge.exe
1072	Ceqnmpfo.exe
1736	Cjmgfgdf.exe
3328	Cagobalc.exe
2900	Cdfkolkf.exe
4472	Cjpckf32.exe
3568	Cajlhqjp.exe
968	Cegdnopg.exe
4476	Dfiafg32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ajfhnjhq.exeBcoenmao.exeCdfkolkf.exeDeagdn32.exeOncofm32.exeOjllan32.exeBmpcfdmg.exeBhhdil32.exeAfjlnk32.exePdmpje32.exeAnmjcieo.exeOlcbmj32.exeOgnpebpj.exeAccfbokl.exeChmndlge.exeCajlhqjp.exeCagobalc.exeBnhjohkb.exeDelnin32.exeOfcmfodb.exePgllfp32.exeAcjclpcf.exeAepefb32.exeOcpgod32.exePggbkagp.exePjeoglgc.exeBgehcmmm.exeOjjolnaq.exeAmbgef32.exeDhocqigp.exeOjgbfocc.exeOpdghh32.exeOdapnf32.exeDhhnpjmh.exeDfpgffpm.exeDmgbnq32.exeBnbmefbg.exeOlmeci32.exeAabmqd32.exeAcqimo32.exeBaicac32.exeCjpckf32.exePjcbbmif.exeCegdnopg.exeDfiafg32.exeOgifjcdp.exeQjoankoi.exePcbmka32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1572	1672	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exeOlcbmj32.exeQceiaa32.exeBnhjohkb.exePjcbbmif.exeAjfhnjhq.exeAjkaii32.exeBaicac32.exeBgehcmmm.exeOgifjcdp.exeDfiafg32.exeOjaelm32.exeAjhddjfn.exeCeqnmpfo.exeDmllipeg.exeOcpgod32.exeOjjolnaq.exeAeklkchg.exeCabfga32.exeCagobalc.exeCajlhqjp.exePdmpje32.exeAcjclpcf.exeBnbmefbg.exeAfjlnk32.exeCegdnopg.exeOncofm32.exeOlmeci32.exePnfdcjkg.exeAabmqd32.exeDmgbnq32.exeDeagdn32.exeOfcmfodb.exePggbkagp.exePjmehkqk.exeAcqimo32.exeBmpcfdmg.exeDelnin32.exePdfjifjo.exePmannhhj.exePgllfp32.exeAnmjcieo.exeAjckij32.exeQddfkd32.exeAmbgef32.exeAepefb32.exeBcoenmao.exeCjpckf32.exeDhhnpjmh.exeChmndlge.exeCdfkolkf.exeOjllan32.exePjeoglgc.exeQmkadgpo.exeAgjhgngj.exeBnpppgdj.exeBhhdil32.exeDfpgffpm.exeDhocqigp.exeOjgbfocc.exeOgnpebpj.exeOdapnf32.exePcncpbmd.exeQjoankoi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe

Modifies registry class 64 IoCs

Processes:

Pnfdcjkg.exeQceiaa32.exeAnmjcieo.exeCagobalc.exePmannhhj.exeCajlhqjp.exePjcbbmif.exeAgjhgngj.exeAcqimo32.exeCabfga32.exeBmpcfdmg.exeCegdnopg.exeOdapnf32.execadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exeOpdghh32.exeOlmeci32.exePdfjifjo.exeBgehcmmm.exeDfpgffpm.exeOjaelm32.exeAjkaii32.exeOjgbfocc.exeQmkadgpo.exeAfjlnk32.exeAeklkchg.exePggbkagp.exePjeoglgc.exeBnbmefbg.exeChmndlge.exeQjoankoi.exeBcoenmao.exeCdfkolkf.exeAccfbokl.exeBnhjohkb.exeOgnpebpj.exeAjckij32.exePcncpbmd.exeDhkjej32.exeAabmqd32.exeQgcbgo32.exeCjmgfgdf.exeDeagdn32.exeAclpap32.exeOncofm32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exeOlcbmj32.exeOgifjcdp.exeOjgbfocc.exeOncofm32.exeOcpgod32.exeOjjolnaq.exeOpdghh32.exeOgnpebpj.exeOjllan32.exeOdapnf32.exeOfcmfodb.exeOlmeci32.exeOjaelm32.exePdfjifjo.exePjcbbmif.exePmannhhj.exePggbkagp.exePjeoglgc.exePcncpbmd.exePncgmkmj.exePdmpje32.exe

description	pid	Process	procid_target
PID 1384 wrote to memory of 4356	1384	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe	83
PID 1384 wrote to memory of 4356	1384	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe	83
PID 1384 wrote to memory of 4356	1384	cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe	83
PID 4356 wrote to memory of 3964	4356	Olcbmj32.exe	84
PID 4356 wrote to memory of 3964	4356	Olcbmj32.exe	84
PID 4356 wrote to memory of 3964	4356	Olcbmj32.exe	84
PID 3964 wrote to memory of 3080	3964	Ogifjcdp.exe	85
PID 3964 wrote to memory of 3080	3964	Ogifjcdp.exe	85
PID 3964 wrote to memory of 3080	3964	Ogifjcdp.exe	85
PID 3080 wrote to memory of 3236	3080	Ojgbfocc.exe	86
PID 3080 wrote to memory of 3236	3080	Ojgbfocc.exe	86
PID 3080 wrote to memory of 3236	3080	Ojgbfocc.exe	86
PID 3236 wrote to memory of 2468	3236	Oncofm32.exe	87
PID 3236 wrote to memory of 2468	3236	Oncofm32.exe	87
PID 3236 wrote to memory of 2468	3236	Oncofm32.exe	87
PID 2468 wrote to memory of 4564	2468	Ocpgod32.exe	88
PID 2468 wrote to memory of 4564	2468	Ocpgod32.exe	88
PID 2468 wrote to memory of 4564	2468	Ocpgod32.exe	88
PID 4564 wrote to memory of 2344	4564	Ojjolnaq.exe	89
PID 4564 wrote to memory of 2344	4564	Ojjolnaq.exe	89
PID 4564 wrote to memory of 2344	4564	Ojjolnaq.exe	89
PID 2344 wrote to memory of 2652	2344	Opdghh32.exe	90
PID 2344 wrote to memory of 2652	2344	Opdghh32.exe	90
PID 2344 wrote to memory of 2652	2344	Opdghh32.exe	90
PID 2652 wrote to memory of 4956	2652	Ognpebpj.exe	91
PID 2652 wrote to memory of 4956	2652	Ognpebpj.exe	91
PID 2652 wrote to memory of 4956	2652	Ognpebpj.exe	91
PID 4956 wrote to memory of 4548	4956	Ojllan32.exe	92
PID 4956 wrote to memory of 4548	4956	Ojllan32.exe	92
PID 4956 wrote to memory of 4548	4956	Ojllan32.exe	92
PID 4548 wrote to memory of 1176	4548	Odapnf32.exe	93
PID 4548 wrote to memory of 1176	4548	Odapnf32.exe	93
PID 4548 wrote to memory of 1176	4548	Odapnf32.exe	93
PID 1176 wrote to memory of 4784	1176	Ofcmfodb.exe	94
PID 1176 wrote to memory of 4784	1176	Ofcmfodb.exe	94
PID 1176 wrote to memory of 4784	1176	Ofcmfodb.exe	94
PID 4784 wrote to memory of 3040	4784	Olmeci32.exe	95
PID 4784 wrote to memory of 3040	4784	Olmeci32.exe	95
PID 4784 wrote to memory of 3040	4784	Olmeci32.exe	95
PID 3040 wrote to memory of 1716	3040	Ojaelm32.exe	96
PID 3040 wrote to memory of 1716	3040	Ojaelm32.exe	96
PID 3040 wrote to memory of 1716	3040	Ojaelm32.exe	96
PID 1716 wrote to memory of 2328	1716	Pdfjifjo.exe	97
PID 1716 wrote to memory of 2328	1716	Pdfjifjo.exe	97
PID 1716 wrote to memory of 2328	1716	Pdfjifjo.exe	97
PID 2328 wrote to memory of 3096	2328	Pjcbbmif.exe	98
PID 2328 wrote to memory of 3096	2328	Pjcbbmif.exe	98
PID 2328 wrote to memory of 3096	2328	Pjcbbmif.exe	98
PID 3096 wrote to memory of 2912	3096	Pmannhhj.exe	99
PID 3096 wrote to memory of 2912	3096	Pmannhhj.exe	99
PID 3096 wrote to memory of 2912	3096	Pmannhhj.exe	99
PID 2912 wrote to memory of 4748	2912	Pggbkagp.exe	100
PID 2912 wrote to memory of 4748	2912	Pggbkagp.exe	100
PID 2912 wrote to memory of 4748	2912	Pggbkagp.exe	100
PID 4748 wrote to memory of 3548	4748	Pjeoglgc.exe	101
PID 4748 wrote to memory of 3548	4748	Pjeoglgc.exe	101
PID 4748 wrote to memory of 3548	4748	Pjeoglgc.exe	101
PID 3548 wrote to memory of 1520	3548	Pcncpbmd.exe	102
PID 3548 wrote to memory of 1520	3548	Pcncpbmd.exe	102
PID 3548 wrote to memory of 1520	3548	Pcncpbmd.exe	102
PID 1520 wrote to memory of 3184	1520	Pncgmkmj.exe	103
PID 1520 wrote to memory of 3184	1520	Pncgmkmj.exe	103
PID 1520 wrote to memory of 3184	1520	Pncgmkmj.exe	103
PID 3184 wrote to memory of 2944	3184	Pdmpje32.exe	104

C:\Users\Admin\AppData\Local\Temp\cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe
"C:\Users\Admin\AppData\Local\Temp\cadbd56459a0e771f4f6a7c81b8ffcea0ff39740b718b3ceb7aa6d91c0f3eb3c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\Ogifjcdp.exe
    C:\Windows\system32\Ogifjcdp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\Ojgbfocc.exe
      C:\Windows\system32\Ojgbfocc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        68⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 416
        74⤵
        Program crash
        
        PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1672 -ip 1672
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
72KB

MD5
0c0294444977f8e03d1520646cb268cd

SHA1
b42166d0831e0292aba22b454257a1bcdee1b6c7

SHA256
4ced45df077dad3816242dd4ef6fc71e421b2c3150f7eaaa0d2d79d6ed228c1c

SHA512
9f03b211a81f52ed0c725b040bccf9d5f157765a5e9ffd4aa35163d6e4ddc21528f2a506f4354e84daca9a5e2babb3f87c8f621d8d49ffc68036593bd375bb7c

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
72KB

MD5
20ada444d1d3cf621fb5fab61ae40345

SHA1
53a2008925bfbfbb1b0820bcb6cafe8b92b448ef

SHA256
139bcf19a5bdbea4d97d38894180ca025fd29d176d7dde962ecd8410ad6e4ea9

SHA512
d940704aeb5025d6543b7eb9bb13ca37dfcca5f81749e126ce38468d31125cb09c46634637899a228fa57a931da0bb63c093c6a15e8d55b87a89c9012a9fbed6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
72KB

MD5
fa998d25141064d3c9a8bd7c60d460c4

SHA1
f4a472fb125c7e052c9cedbf8e3475274e999695

SHA256
be84f20f15a09371b4fb216a0791a347a524fd32fba7f80ad7c792ed16357f5e

SHA512
00bf83eff45c5d9372e7a498305ff40408d48ba2728feebd67c9faa1e58d412d90f61562d68760f4d485472a51d217fa19d63402290f4c95ca307b5efc176540

Download Submit
C:\Windows\SysWOW64\Debdld32.dll

Filesize
7KB

MD5
80dccd1b458ece93191ee836257838b6

SHA1
52c0ef9b27c859a886f0526ac3e83aee1ec50b47

SHA256
f82d2b095c332ceff8aff0da085f0e1c135d3e0d4c3136e51beb2608bb00c0cb

SHA512
8b689efdccc2e85a3a9bd446981e96db3db35c75cac43017c94a3fb690b0a9e0c4d535296fd282e4a6d5c3709179a4a7c39e7a2cf087c71bec23b35786aa69b4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
72KB

MD5
62678ff9f6b0269664577a35946a138f

SHA1
fcf563a9be1834cc2624ec1c93cfc2bcd0aa5269

SHA256
64a51cc330a880525eec5229969b2347445403d991ca5529abd2161788061eff

SHA512
755cb237bfbe62f8f5fd97a78cb71eba13b40cbfd5783322f92a1e33c7ac234da11d1934a8be720d74b8218bcb840c4d32658e1253ae9a9abc969d07ba4dddc4

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
72KB

MD5
843cdda43b4eeb038b2e135943dba5ad

SHA1
ba7ff577c2304aa5e0c7c830ff4df8da7f8197bc

SHA256
c33067765d9d5ea8a69d5934640258d82fa5239de792ce28fd64b686f32ca9f5

SHA512
c4fed499ec59d1ed9618408072c9405b4662332b2d192de455f4d19f93ece699ba1a42b10140611ed30f5c004f026ca1496cd96630d578eb3881434e534e372c

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
72KB

MD5
03a7fdc8c6e9c438d4f586aa764c08c2

SHA1
cc047fe3a055a5ab01a0f760ad4b53f86dfee4c4

SHA256
57184458ed5e864f71b884ecfaa9be08b2fb7ae8ded2372fff58b42c03a14385

SHA512
9bd660d0fda492b23886666452a4f235797f37df5514278fd1c2dc6ea217a9b4e68819f0bd5dc0c51dc804a884eeb30301b36d66f340b2f6874e5c5cec6a4459

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
72KB

MD5
38d4ff9c3c5c3ae6f01e22b45c0dbb98

SHA1
0a2841ad5c133345314e8e61449c8f128984eaf3

SHA256
5360a10d5e06a6ff2e6362664f669ed620f067743a9846c277997c64f8fa689c

SHA512
968d79a89aec5af0737b84daf9ee06ad425b15578c8731d1ccdf61c1f07e50db18ec275436d5abb9797aed3c6f6abf7461cf7f13f8b10049e80b4baeea3fb092

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
72KB

MD5
8ac5b0a7052ab6ef4a339256677b6944

SHA1
39d682f86f87eeea76950232050b2ea6867717c8

SHA256
2dcfc00c2f497eb194c809f538517abdd8404c339b10ecae35ace3ab8eae209e

SHA512
07cf5dbcbd41673bfd398653a40486ad07336c02c5e05c79e87fb1779c51f686861c83001484a6d1c3eea8266a86275e8c7cb0bbd831ea2d54366026b83a8515

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
72KB

MD5
59af53939a8deedd2510c246bcb846d0

SHA1
dd4877126e706190c5546568dbca4c545b1f0ea1

SHA256
b4609ffdac67f042b915a0a9381f0f1d102f3badb56cec001553a3f790218443

SHA512
1d093e29fff4bf2c1a2901f7b2cab0111396e0d7f495511adb99739238c980a79181d5322f8879f2c8c295d09c242a62d9999f5aabc761632dcd20f02ecb0be1

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
72KB

MD5
645e1f6a3230e86a81837255789e4184

SHA1
a13bb1edd27bed5e580c4d2e0bde8a0fe8993be7

SHA256
3b7abf7450004be0b95462f5856819d945c4fd1dc47a6d9d4023e0290c45f467

SHA512
ecfd9411cac7c20c1ea59256ecfb1f8c191887b37649b39bded941f9acda997c8c72a9e97e372dda409f252ef49bd946ae30b95910cd214c0ba3ddc5fef83ff6

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
72KB

MD5
3694abbef547556a0b196b8b50e12515

SHA1
9805e2d0f539c4f9f616d1ecbecba02753bea898

SHA256
a420f862374b7cbae303703056179b228bd4bd117409236c87eb886128d29881

SHA512
8e268a2fd97aba57440d7e89aaf1c01d998782509ab05097961e997b6b10281ba79f3e7230173eb115818c0b1f8a27daf7144c3d78ccefed96ff6ea15858ded4

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
72KB

MD5
b18dadd7f3420a5f3d98f5ac3cf6a487

SHA1
8499bbe3bb1e52f98c048214754b37c1f1dff192

SHA256
a9182c2e350519ca1f831c892e7d33ec9e4a6f15b85286637f5e20ad32745aa8

SHA512
23c7cefae9b0058d78ef7cd72aec3691d276bef2435706f7e49005e7844ba10f8db960783a78ceda32e9c83f213b0ee859b69fe38b812e37c9581ffcb87aeb3d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
72KB

MD5
d78e8882119638bb046529aa8bdf9f04

SHA1
a7dc8ad52c81455243bb711884d038fac868c8f6

SHA256
fdb1c43d0c3aacf7c1ff6a09c6f60cf6fe5ced2ccae05b10fe8da72bfc505fd1

SHA512
f51a6b8fdbe36e1828a0edd9cfa17aad7c56e684f7cabf8170ea81743da69bf61de1468ca9c49156cae39ac8126e79a4c576993a7a083f6d130b0a9469330f89

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
72KB

MD5
de60ce7f57038ffe46ab1f5f85b97e12

SHA1
661d83fd274a12444dfc9b8f2733ce277e7f1ce9

SHA256
500708de4b854cc5f2e45fbb3cadf9c3c786108d6d5d7ff57c2d35b6b83c38ab

SHA512
dce07cedd6e72d9da0abfcd5d70437d40195aee4f5ed0ccda0a9a44712788a9767b567054dec09c57848b9b5db38e3113f3a25a79984379d6c66936f65a2a7b9

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
72KB

MD5
5c92487882b78394302725de6b77df4d

SHA1
0f282c2e2e736df2f3dac8987173d3018e6e1050

SHA256
0e3cac148082b084480aad092e0068a68a2b6e7edb2b2b7bddd46dfc323f8a0d

SHA512
07aff485ed2c3e5e7eddf57cebafa2fbd00c966418f6f32647d2cc44188f442fdfe38d9e88d8f74624b445e1f6bc221b49d0e625d3bd2c762800c92db7f7e57e

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
72KB

MD5
d542a2f739f9ec576725f9b4a9976675

SHA1
ed659604aa8f4ff1b9d36066d554e3e8a86f6924

SHA256
d322b14856c54b03c331ec900c045f918342fbf804fe98a27f9834c18dea1ef0

SHA512
5783995b07a67bf5f0f7432054bcce8c52a6c67efeeda3337307a90e41dc90f245432447b0e42044781a169647f3df66de587e9c9f9ecc24d3f5b8b651fb075a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
72KB

MD5
69d723dcf37266216b2fb0d1af1c6e95

SHA1
44f701284fc29da91c8bf6e06a210e5077a95f6d

SHA256
7beee9ac393447ffc484c3d42d9f042b5cf0daba75560f475537ae23c211344d

SHA512
4b804d22f8a2f85e44d1a515a8fc5080ce723235680075e40255cbbc4eea561f094e582db8f46a3cec945a63629b003862987e35a42594b6e418eb5924bc06d3

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
72KB

MD5
689660d773083d2f4bd8ecf5560dd97e

SHA1
c4b05687bd2ba8e4552dd430ebdb9e28bc93f483

SHA256
9d2a6bc30b7debe2f01ce75ddadc22f61e917d8b9991148eac3eeca97cfa0466

SHA512
f031aa8d9d6c2c696d80263f9a91f6095e6180ce67f228f61ae87ab2e94fe2758b5cee92dc62bff0bb219206f46a45195e8168e4f9c7742a67bb90da8b889627

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
72KB

MD5
7e754660212d6916392ad62be20f32bf

SHA1
858febcce219ea351370fe8ee9cb38f364c41ae7

SHA256
aadec194f5b7ac9bee3786f9ca714edb3b1f5eeb26ce2ddc6fe4bea864a294ff

SHA512
5960b2a1db2e98a9f5f924256844ca5a71506da930b0d097398fed355ab9b81f5f51bb2e1e9c384ca2e7dc89dffc764c2afb2b559f548983dfe27b25d9c30273

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
72KB

MD5
152034b8da730d5a0c346a9a9fe9fbff

SHA1
1516b91f6582f00bb875fc20d58a8eed9f259034

SHA256
cb4b81f8ceb7c303375f4b5fbb162ea7c2d36c3e625bb2efe578e439080e95bc

SHA512
a9439a45a92f2c160d143bae600f65cfcca8e2fcee013b93d451fab1f250b7b0efe81955b8fc36f33abfbc3f740d09d1d9306e7e27839f9af2cff546202e560b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
72KB

MD5
525d35173f80c3e365a98c9a09316a05

SHA1
333ba645f1ec76b191c03818f419003debf971bb

SHA256
cec03b73c7cc6fc61650680c62598f22b2881386af07794558b68992b90ec310

SHA512
669e80bd121fdd59009b6e4d6916b0ce78cfd04867a37cbdacd8e774da395f5a7ab593d87b9cabc91e4d8ad6b8774334678aec99c9d0caeca648f2de1f2d7a6f

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
72KB

MD5
a8dfa32b06348c5cdf7e40771ac4754a

SHA1
cfcdd90744dc91aa4d5cbfaee8bf003b25dcb79e

SHA256
02369c2f2810848103921d5682c8688f5ad7c7a1eb649f42e33addd298d2244b

SHA512
acc83281e1a1b60d58129082d622e7567b4e07dc05553e9bdd6a32092c0adc2f20fd5da2b432ce1083c9718f23644451a6a80205e76800345ed881c7d9e69411

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
72KB

MD5
8b5b7172ca5c25ea1dcc11636cfed504

SHA1
30ad0fa98633f2963761ed69b6dc81a54695d3de

SHA256
716a8808753a40e0268fc6bf3dd30ec3dd8adf7c429d0c8c2c887144a19f07fd

SHA512
0084f94df66b61668022fcc8f0efa30e41164b21f585542d5b4d367686d1cdc3338c36c7c0532c16e096db3b5e693403e3c479380e4e065623306b217824de7c

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
72KB

MD5
480377b14050e78fe3bf68ccf9cbc3c4

SHA1
45abfa4e01b47db733a5a4f769f75f3c3c78edaa

SHA256
b02fc032bc1208e0e1b904cedc78eee6374eb2dd8e7ced0f54e5c04cac224b40

SHA512
5da467968367d5028665df5144054c2a5a48c106d67ebbc3f410090bc421a293e9d9acfc78da4d9c22887134a9911dca51fead7ca9bf6fcda9b0fcd85af5de7b

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
72KB

MD5
ff404789667f02edbeaad32fd3c5cff5

SHA1
a3655da1e4efe6752e372dbe44573a188d29c55f

SHA256
806c56df4ba16d801f9bebb99f5ca49de33f9b30bf6f8a7ddad6a9efbdb579cd

SHA512
02add699422a9472258b04bb99f5c9098f770ce7e95f76cf2d7c776f4d503ebccc3cdf38294fffda7bb32c13124f930c0ecb31bf5da2943079d70db8a744d637

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
72KB

MD5
82ff03f42ef117d2d2cf066316b6c200

SHA1
3629b4ae43b413eac11d65607fc40f5720186af3

SHA256
28b48fa8e6c7342699c271fb1fd20bd9ef2612c93876e6660432a52ebb55a049

SHA512
3372fd7811ac0fad0a6044c1b17605c42f585ef292dab97ed7253b34f74577834b60b7671c7bdcfeb73a10fb81c678573b3a95102b9f27d75dcec455b31fd612

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
72KB

MD5
3c6f0adba88040068f3997963c24c641

SHA1
99b4796c4e4d86ba77398408a4c5de3d8e8c4fe5

SHA256
f1cd17a528257645fa107120a379e2eca74eceb39ac8fc2358938fe2af69bd39

SHA512
f7466cc84db436d87e197ff82dc26b2e37faa9b01809c142cc830c03f0f47b0295c6f6cf94589e9edf6ef0837d221699655ea7f9e12421203358c705c0f6fad5

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
72KB

MD5
ea67c35acd7f9b5159fe9a2744da51c3

SHA1
9d6865853cf70f7d355bc883cf23b99e558ed8fe

SHA256
cce61cc53d05d88534a8996bbfb5d3cdef10086810aea06cbb537237302242ca

SHA512
82b72e89b01f7739598f173a051612053b0b21f07bda75d604b22aa6f3e01c1d02bfc7698716ad8d547f921434b937242dc1f4539ef40d19276f2bf1f315da1f

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
72KB

MD5
06e11be4e27eb9aa7835084f44333e26

SHA1
9c4a943bc2a261bab9a85c0c425458ba819dea78

SHA256
e41116171a4d675385f63db7868cf05b9f34735f0652c6ff591ef382787519a7

SHA512
49455dd2a629fd0dd433ecda1b50087e6335e8cece71cfe4c630804b71351fcbf964398e57ebc2c39fbb7be6875bcfc610464bd89d3772885d32e79fa1b1ac98

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
72KB

MD5
0ea8c2b7b706ed9b0bb2f96a65159dc4

SHA1
9c046bf6f7a7a31adc519ee8a5ede67c66c5315a

SHA256
9d1067280e8d2dc6433e142e9bf98d439be16523663ca4dd9a2b78416bcdeebd

SHA512
1353484f5360a5805f7c1f40e2eba7fd6fafa2b047bc3a7926140f3272953e18e63857c6331ee6b7d0c98bd8a7dc22b916cd7207570ac40bccd5644cae3a04b6

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
72KB

MD5
3ef413dd8d05c362d8b916396fb3d247

SHA1
f2e36ab95a20ef2ab2b99bb306ee19c23a6a43d0

SHA256
37b398325dcc87af05114b0c6245af706093f648ac72b72d8bd770bc4d094309

SHA512
c5a9a7eb4a211dd6a99f5728e2ed53bc1c2b9047aee2c72f22b905a3e8cedeb861a81864e35e53b28595628d1625e060e970b50f6ca27dce72225e95edf8013b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
72KB

MD5
8cf9cbb79710fc51ebd51ec4750e7037

SHA1
b98be0c1bb60ae8dc00719f020c7857197b96eb3

SHA256
ae567d8c2f5b8c0807f978830b46646bc5a9b75ade49e1efe6052b8b13ef942b

SHA512
661de87ea4da3480d6b363b7b74419d20bc1843568eaa4b8e080fe6a1078545699522ab2b4151868c0526b779e88d28f22eee3c7cbb9a991addc9e792befab29

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
72KB

MD5
3000eae0aa59dfc74551ba69215c82b8

SHA1
8201496e61d90cd9fc7b1e5753b0eaca8a30c623

SHA256
386f7e0c711de70c06f974b3fcdfbb8b5928f7c43bddfc79459aea6fabfb67f1

SHA512
615afb3120953dd1995f287b080e91d221fdd3a2eeada4b5da7fdf1e423e72a86911d2d46b2ff4a76c634f038202a1218524d9903530bcfc9dfda0915bf6ac08

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
72KB

MD5
1e09360f4345b28222053942a489e013

SHA1
89776b9894b53f0be6b1b4bd75e3dfda8f01aa4a

SHA256
46a52ed5e1faff2349c798e8d2c0ff7bb78168e92e64b3df05cf8e5673a45662

SHA512
d69af8a9db7a9a9512a8cdd0e48bcf43e0f5e4a973f7df8edf2f7b2e43adf1e87d4e3206cfe3484d4f16ca6c912b53f70f33a739b1da8b352f9759c29cf50bfc

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
72KB

MD5
9310d764a434d71d8301a2997ce5539a

SHA1
aedb022cb1715de03e1c89636fd05df885b480d9

SHA256
4a7a5d1dfd65b055984bd0458a11bdd3eb874d68ccf1082ec8007f3c99b9f732

SHA512
dd53f9efb3051de880c3b44cab267577244a5f5ea6308e4310d18e8e1ad3307adf01eb69931681053937ad99439f885d4f367c9b055de48ba0cca5cb69b62d47

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
72KB

MD5
92f302f25e1963764a6889d3740fba4c

SHA1
58444b34a1c2317ffb1e3006e8af9be3cb3aa999

SHA256
d20381aa0ee44c746fbc6668d16b156a66a0c75ce0c45e81f054ca444f570da7

SHA512
622c06215f0e34cd20a5e67e8db002aa9a4abc5bf300eb29925539e967755cfa6609a5d539748d9a6a3e142a6a65eb389e18cf9be94f18c0ee8dece34bb3e183

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
72KB

MD5
0de20f74ced21bd636904a5c3dea4bde

SHA1
1abfb3b2a22e009b82ae2cfc97de70afd6b48c34

SHA256
6cc1d07fea301c10932a2e1d930f91dbb420202cd15f951bc192ec7c1d5a0276

SHA512
27bca5d564da862c835388c32cd2f3d3cb470fa68840fdecb4bf97d9befcd143810ff76ce123c8d74cb215cc0eec1c601cc1786396ffc05dec4bc4f3661b4e0c

Download Submit
memory/212-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download