berbew | bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Size

64KB
MD5

dad268edceb8e7284a8d997cac8ba8c8
SHA1

f7a6a11774a9716b8a6c9a95d2b0b5259f77c4e1
SHA256

bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6
SHA512

936fe45507b3b95fafe2ba74ac79656199b54b6fa319e7fd03a96d0544ffea1e9f1d2721df508a9f4033597b1a733e727f098d7b7c542a0f683792f91627a60d
SSDEEP

768:XlS3Iyg2jfFz+QVG0gxTeC6qhaT8guSzmr74h4YnyZbJ9/47qUWbq4sQ/1H5LJX2:VS4NedgxTezqwZuAqM71WbpVrZuYDPs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dmgbnq32.exebf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exeBjfaeh32.exeCffdpghg.exeDmcibama.exeDaqbip32.exeCenahpha.exeDhfajjoj.exeDdakjkqi.exeDaekdooc.exeBeihma32.exeDddhpjof.exeDdmaok32.exeBapiabak.exeCdhhdlid.exeCnnlaehj.exeCegdnopg.exeDanecp32.exeCfpnph32.exeDhhnpjmh.exeCeqnmpfo.exeCmnpgb32.exeDdonekbl.exeDknpmdfc.exeBjddphlq.exeBhhdil32.exeCjinkg32.exeCmgjgcgo.exeCdcoim32.exeDkifae32.exeBmbplc32.exeCfbkeh32.exeCnffqf32.exeChjaol32.exeDkkcge32.exeCdfkolkf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 36 IoCs

Processes:

Bjddphlq.exeBmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBapiabak.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCeqnmpfo.exeCdcoim32.exeCfbkeh32.exeCdfkolkf.exeCmnpgb32.exeCdhhdlid.exeCffdpghg.exeCnnlaehj.exeCegdnopg.exeDhfajjoj.exeDmcibama.exeDanecp32.exeDdmaok32.exeDhhnpjmh.exeDaqbip32.exeDdonekbl.exeDkifae32.exeDmgbnq32.exeDdakjkqi.exeDkkcge32.exeDaekdooc.exeDddhpjof.exeDknpmdfc.exeDmllipeg.exe

pid	Process
1540	Bjddphlq.exe
1668	Bmbplc32.exe
4484	Beihma32.exe
3836	Bhhdil32.exe
2416	Bjfaeh32.exe
3624	Bapiabak.exe
520	Chjaol32.exe
2560	Cjinkg32.exe
2988	Cmgjgcgo.exe
1800	Cenahpha.exe
3456	Cfpnph32.exe
412	Cnffqf32.exe
2644	Ceqnmpfo.exe
2568	Cdcoim32.exe
4976	Cfbkeh32.exe
1700	Cdfkolkf.exe
4572	Cmnpgb32.exe
2676	Cdhhdlid.exe
1868	Cffdpghg.exe
316	Cnnlaehj.exe
856	Cegdnopg.exe
408	Dhfajjoj.exe
1292	Dmcibama.exe
1108	Danecp32.exe
3352	Ddmaok32.exe
4696	Dhhnpjmh.exe
3628	Daqbip32.exe
2928	Ddonekbl.exe
3648	Dkifae32.exe
2772	Dmgbnq32.exe
2464	Ddakjkqi.exe
5016	Dkkcge32.exe
1692	Daekdooc.exe
3728	Dddhpjof.exe
3348	Dknpmdfc.exe
2180	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Cdfkolkf.exeCdhhdlid.exeDmcibama.exeCjinkg32.exeCegdnopg.exeCenahpha.exeCdcoim32.exeBhhdil32.exeDdonekbl.exeBjddphlq.exeCfpnph32.exeDdmaok32.exeBmbplc32.exeBeihma32.exeBapiabak.exeDkkcge32.exeDknpmdfc.exeBjfaeh32.exeCmnpgb32.exeCffdpghg.exeCnnlaehj.exeChjaol32.exeCfbkeh32.exeDaekdooc.exeDddhpjof.exeCmgjgcgo.exeDdakjkqi.exeDmgbnq32.exeDkifae32.exeCnffqf32.exeDhhnpjmh.exeCeqnmpfo.exeDhfajjoj.exebf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4492	2180	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bmbplc32.exeDdonekbl.exeDkifae32.exeDmgbnq32.exeDkkcge32.exeBhhdil32.exeCenahpha.exeCfpnph32.exeCegdnopg.exeDmcibama.exeDaekdooc.exeBapiabak.exeCmgjgcgo.exeCffdpghg.exeCnnlaehj.exeDhfajjoj.exeDhhnpjmh.exeBjddphlq.exeBjfaeh32.exeCjinkg32.exeCnffqf32.exeCfbkeh32.exeCdhhdlid.exeDanecp32.exeDaqbip32.exebf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exeBeihma32.exeCeqnmpfo.exeDddhpjof.exeDmllipeg.exeCdfkolkf.exeDdakjkqi.exeDdmaok32.exeChjaol32.exeCdcoim32.exeCmnpgb32.exeDknpmdfc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

Processes:

Dmcibama.exeDdonekbl.exeBapiabak.exeDaqbip32.exeBmbplc32.exeCmgjgcgo.exeCffdpghg.exeDdmaok32.exeDddhpjof.exebf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exeBhhdil32.exeChjaol32.exeDknpmdfc.exeCfpnph32.exeCnffqf32.exeCnnlaehj.exeDhhnpjmh.exeDmgbnq32.exeDkkcge32.exeCjinkg32.exeCeqnmpfo.exeCenahpha.exeDanecp32.exeCdcoim32.exeDdakjkqi.exeBjfaeh32.exeCfbkeh32.exeDkifae32.exeDaekdooc.exeBeihma32.exeCegdnopg.exeCdfkolkf.exeCdhhdlid.exeDhfajjoj.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exeBjddphlq.exeBmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBapiabak.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCeqnmpfo.exeCdcoim32.exeCfbkeh32.exeCdfkolkf.exeCmnpgb32.exeCdhhdlid.exeCffdpghg.exeCnnlaehj.exeCegdnopg.exe

description	pid	Process	procid_target
PID 1684 wrote to memory of 1540	1684	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe	83
PID 1684 wrote to memory of 1540	1684	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe	83
PID 1684 wrote to memory of 1540	1684	bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe	83
PID 1540 wrote to memory of 1668	1540	Bjddphlq.exe	84
PID 1540 wrote to memory of 1668	1540	Bjddphlq.exe	84
PID 1540 wrote to memory of 1668	1540	Bjddphlq.exe	84
PID 1668 wrote to memory of 4484	1668	Bmbplc32.exe	85
PID 1668 wrote to memory of 4484	1668	Bmbplc32.exe	85
PID 1668 wrote to memory of 4484	1668	Bmbplc32.exe	85
PID 4484 wrote to memory of 3836	4484	Beihma32.exe	86
PID 4484 wrote to memory of 3836	4484	Beihma32.exe	86
PID 4484 wrote to memory of 3836	4484	Beihma32.exe	86
PID 3836 wrote to memory of 2416	3836	Bhhdil32.exe	87
PID 3836 wrote to memory of 2416	3836	Bhhdil32.exe	87
PID 3836 wrote to memory of 2416	3836	Bhhdil32.exe	87
PID 2416 wrote to memory of 3624	2416	Bjfaeh32.exe	88
PID 2416 wrote to memory of 3624	2416	Bjfaeh32.exe	88
PID 2416 wrote to memory of 3624	2416	Bjfaeh32.exe	88
PID 3624 wrote to memory of 520	3624	Bapiabak.exe	89
PID 3624 wrote to memory of 520	3624	Bapiabak.exe	89
PID 3624 wrote to memory of 520	3624	Bapiabak.exe	89
PID 520 wrote to memory of 2560	520	Chjaol32.exe	90
PID 520 wrote to memory of 2560	520	Chjaol32.exe	90
PID 520 wrote to memory of 2560	520	Chjaol32.exe	90
PID 2560 wrote to memory of 2988	2560	Cjinkg32.exe	91
PID 2560 wrote to memory of 2988	2560	Cjinkg32.exe	91
PID 2560 wrote to memory of 2988	2560	Cjinkg32.exe	91
PID 2988 wrote to memory of 1800	2988	Cmgjgcgo.exe	92
PID 2988 wrote to memory of 1800	2988	Cmgjgcgo.exe	92
PID 2988 wrote to memory of 1800	2988	Cmgjgcgo.exe	92
PID 1800 wrote to memory of 3456	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 3456	1800	Cenahpha.exe	93
PID 1800 wrote to memory of 3456	1800	Cenahpha.exe	93
PID 3456 wrote to memory of 412	3456	Cfpnph32.exe	94
PID 3456 wrote to memory of 412	3456	Cfpnph32.exe	94
PID 3456 wrote to memory of 412	3456	Cfpnph32.exe	94
PID 412 wrote to memory of 2644	412	Cnffqf32.exe	95
PID 412 wrote to memory of 2644	412	Cnffqf32.exe	95
PID 412 wrote to memory of 2644	412	Cnffqf32.exe	95
PID 2644 wrote to memory of 2568	2644	Ceqnmpfo.exe	96
PID 2644 wrote to memory of 2568	2644	Ceqnmpfo.exe	96
PID 2644 wrote to memory of 2568	2644	Ceqnmpfo.exe	96
PID 2568 wrote to memory of 4976	2568	Cdcoim32.exe	97
PID 2568 wrote to memory of 4976	2568	Cdcoim32.exe	97
PID 2568 wrote to memory of 4976	2568	Cdcoim32.exe	97
PID 4976 wrote to memory of 1700	4976	Cfbkeh32.exe	98
PID 4976 wrote to memory of 1700	4976	Cfbkeh32.exe	98
PID 4976 wrote to memory of 1700	4976	Cfbkeh32.exe	98
PID 1700 wrote to memory of 4572	1700	Cdfkolkf.exe	99
PID 1700 wrote to memory of 4572	1700	Cdfkolkf.exe	99
PID 1700 wrote to memory of 4572	1700	Cdfkolkf.exe	99
PID 4572 wrote to memory of 2676	4572	Cmnpgb32.exe	100
PID 4572 wrote to memory of 2676	4572	Cmnpgb32.exe	100
PID 4572 wrote to memory of 2676	4572	Cmnpgb32.exe	100
PID 2676 wrote to memory of 1868	2676	Cdhhdlid.exe	101
PID 2676 wrote to memory of 1868	2676	Cdhhdlid.exe	101
PID 2676 wrote to memory of 1868	2676	Cdhhdlid.exe	101
PID 1868 wrote to memory of 316	1868	Cffdpghg.exe	102
PID 1868 wrote to memory of 316	1868	Cffdpghg.exe	102
PID 1868 wrote to memory of 316	1868	Cffdpghg.exe	102
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 316 wrote to memory of 856	316	Cnnlaehj.exe	103
PID 856 wrote to memory of 408	856	Cegdnopg.exe	104

C:\Users\Admin\AppData\Local\Temp\bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe
"C:\Users\Admin\AppData\Local\Temp\bf32f8af4c1aef62437e0ebc2903b5a88b4090543b98a78a16367f4332792dd6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Bjddphlq.exe
  C:\Windows\system32\Bjddphlq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Beihma32.exe
      C:\Windows\system32\Beihma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 396
        38⤵
        Program crash
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2180 -ip 2180
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
64KB

MD5
a68bce9a8a94582870769b7af5f33b9b

SHA1
e35698d11268ba2862687ac402690c83a51bd7bb

SHA256
c12dcdd0ca4ed27feca039d37e916e77cc599998b34924ba2b6ee843bc98416f

SHA512
1b63a5991791b9562a22cca5128e341149771ea846ed54c04c6d2f0ce5ae083cffd16570dc4febca3855c94558c505e3a4116da7ad9c946b68c5de7acab4d079

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
1d9114eb73289eda811f5ccea19530d0

SHA1
04ebafc9e1b503d75cf07c4be54e23c447ec5f24

SHA256
3364ffb5ef221642ca3febefa935c4e3a176ffe28cb7d907b9ee8c26b668e391

SHA512
d68968d397876879fee645ec477ecf8959f05687dda8514a67981fc3d75df88c78d4e478c35b764b472585857d56dda315ffed9348c52ed6358add602e17b61e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
b40704b95c21d67d87d278e536e1e177

SHA1
654a124208ab60446027ce41c5c541f1273f2bf8

SHA256
d1b2b53370f72d7986d0758499cd132d1e8bf02aa5ea4cd69513622109c8b165

SHA512
1ef7a52ab91130855171b42cdc37f103d4af5063016155ab652c5ea2a8f1e79e1172436da83e09ccdd6b6a7cad0d09f02e0278488698433f906f57d0d2931f1a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
a0d2d08c1a210d1238a2596901d73c36

SHA1
cc3bfc5d3c3fc67ce067609656dedd153362221b

SHA256
949dead0137070d1cce55d741179c53161612b82afbb2e56245574fc389111a2

SHA512
264b902b2db0ef522b19eab470177e481b976ff40dde14a6700f347e088166c39fb889af3f70aaf4b1d7cfe9be1523a9955184ff6b22cd6e7728daf28aad8916

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
abb23eda323ad60fe61c230ba514cbff

SHA1
9cd818dbe9aff6b3483bc1fb07350faaf2cd4063

SHA256
d2efc39a7d62d5209b6b3066b83f0993555561ec9aec07974297eeab5700845e

SHA512
77a0cfd3d5a77a2a85eb48677bc1f6069b297b71e406cb0ac3e56f3f853fe73729c663736aa847be1f73873ff153c7282f183c31d5ed383f9499179b5423e152

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
0a1ebefff067cd87dbb263af1c4cafa5

SHA1
9e42c6a2df9956246dd150e57734e1f5e42cf3da

SHA256
0905eb04e48046cabe0849136c85f4aeb50937cb4a96a1aa3aa3f2b89ca4273c

SHA512
622f7d54d3b19e6fd5c312f1c9acd358e601ef5dff60a8b612ba3257c4d34f17ff59fccf18acf4c9f759e69609d57a4f0ab5e01848459f0f3f8be67680278709

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
5ce4f3a684540622c219a82d08c357ba

SHA1
fb74ed6817ba8c0bc154fe757ffe8fd152276450

SHA256
ef8b2a5cb598e3081f61771327e51fd078152dd12329a4e4f3e36c462e13eaba

SHA512
ea92ba8f43fea305eea5b6f481f446e905dff3a6487311cae7b72e6227e6e7cc5ca18f836ada1824f7f6044210891078fe40f511886cb0e2abfe9a6cee038f5d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
b180b1cec3d109c333a1e1f8ebc30f30

SHA1
a808a60af50db60dab833dc23c3fa0547b591331

SHA256
bec98febba75cf041186036ec5dfefee9041e3929d30ff72bd8eb3ee443702a9

SHA512
5a247bd3aef33b34484211bfbbede0b96e1084eeb976864ea87c95c815e6b28800a2e6cad83d7999248baed6bf88d80e9b3a97bfb23843303f720abb6cc4ec69

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
b30e323d4bf2ee31013bd3bd59585d51

SHA1
2404232bd694ff3a4500a4362a43ff9b749f2df1

SHA256
5152b4aa08b1f58d2a7e7cbaf9f5f2ffbe7d69e999def75394807ffd81e5c076

SHA512
18ea6aff51e1729446f2948e6636276fc3019ca7a8ae9fded2eccf1e9ae25a0040edbab1ca7dafbf5db48eea23c3ad0e81c40fa5cdc0e49316f570c79669ae8d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
a6e4f8cfdc63974a8c59390bc2aa9878

SHA1
6252a4a3808dd9d8832869058f9f3bb0c36cdc70

SHA256
3e68e61a4577d5a056614b9d1139a5dbbf352e4eebe5724308f15673134953e7

SHA512
b57040a614cfd6c82a93ac537501287c81225b97ea6b56615698e0a34de18e308f890d3ff2a69c3c69d8cce0650f4186e44a6144316b43b278110643acb89510

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
ba6ab615697f25893ec9e098eb17971a

SHA1
24a86df0228323a30e2f9bf265dafe13fd1fa568

SHA256
5435f87bc81fd9ebe1a0686a9d5f5d20e5b564454a03ab94a78f47343f5f523b

SHA512
5237b153a47a68d62d4c6bcb5c4c0719f10a816fb62c269ac98a5a5fab2c4adfc033349f59e6056362c1460a283e04ce8752f09f6c4a527ca686a55f0ef48424

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
64KB

MD5
e1b77d0bae484f3bb85185bd990fa119

SHA1
0307d9ab5a5f821d48746300329a20b02f408418

SHA256
1ff3f2acf0465a43c915ae32b4d93b4eaa8a1243133127a1b2adc19afe287024

SHA512
e121e2286954cf242b9749564b6f9d043de3d3b735b28e96dfd9bae1539b68468bd254c8365007dcf4bc6ef23129af864b656c5bfc04359d3c789c41e91e3e19

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
8cc4235a3ab119e2ad855ac4344374ae

SHA1
d04835966469bb583030e2b6ba2b8f517209704d

SHA256
565f88a58a9c99f9595651d667eb4c8f2709a677c742e5461b0067e1de89b346

SHA512
69192e28e62139c3f7db0ec8f1d6f365d6b68fe5b2a94c45d1c583d55324b94691183be5a067960926974749411c785f148af0936f8c2400ae88a0e7ec13d6ca

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
e9fbf40677a908e593410eab81f649bd

SHA1
6f7b92d730c05f43b8a29238f9318b19e2b318d2

SHA256
c89432a2c34017f8d01a37d6c06bab69e0f0da878db34deae9e29369d69f83b3

SHA512
31a82b269b72c689f335a13ef55c617e4e29708f9e54bf581aa2ed11039906e4eebe12a6b43109f9c495f776345bcfa2052241ce157a4fd1e0b69d959c74b9a3

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
23f3c9e7495c63b071e354354c8cf1e5

SHA1
ebb5b224024e1fcabde9990f8bd298def058dc6d

SHA256
b987ad1c7866ee4e73db130bfa89f5d36932d1e83d36b81956ba6f13a09fff7e

SHA512
c4dc6c5731dc1b6827bce885789daabc91763cb50fe149fdd26046286c1c8101b319edba0020f033fb9d104fd0b7ca758279e78d6e1b5638695e6e61e9e2be6c

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
6bd9d107be6742eff9f62cf8bc260cb3

SHA1
deb64ba8e46c3ad12918f0c71e47f0c4b52dbbfb

SHA256
ae4c6fbf0c5f5125fe6bbf3e683942609b511066be49795215b27030d39671f7

SHA512
b2e1586fdc078b5f70b03aa73b89f968b9632d541876ca9005985431987f9d6a282e4cb794c5f028e9d363a54d8504fc5ef2307bf7be04bee8ea75fb5c1c763c

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
da17ba3c8ad74e7d6ae7addcbe2533e6

SHA1
24b3a6dc4814cb16379c93684096a8911e591c02

SHA256
6c1e5b9d92dae53aff77b90328eddd094a09f545500e67b00bbd8dc6fd56754c

SHA512
a8365735f2e9da70d9ddc23043be18ff590aac39282fc1d78c464b6483c923b1a1f38288d3f6e170f9da582e1918f78b1a4b0fc8a81e623ff0a0c7a313ed2496

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
14cef1eecb334959b8697e969ad0df53

SHA1
455be88cb1f60e2a58eac25e3a3739e828d37f2b

SHA256
5bc1a699470bbe2ff523803ba917a193d96762a69f9ad2ce7c0ba653fd90a115

SHA512
14778a64d61a7b0f56d32c89ca4ba2965b1be66dc906eb1a89fcaaca86898836840f3d52cf13e3f4279a6c9fe1edd7bd6adb602a523bd28a239bf90b5c68f1da

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
0f0c8fa709269c7395a60803b9a73f5b

SHA1
d6219736725cbf38a2feef15d373c16663365498

SHA256
134e61722a3b451b27fdc655e890f1a2d3b15f058cc66ea03a8012883eded42a

SHA512
377beb70d8f8b394c87f22b8622abafdf9793e7b981affc652e5ba438351a2711fa9f047179d4cbf240a773d1fcaac0d073c3978f92a7f9cc9bb6681394b570d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
61ff932c91519caecebef8a1180351cf

SHA1
591e5cec65bcd536ff17bbd3b586407f52563a2a

SHA256
9c42426e8b24a36f5e0ec7bbbfae37a408cc2bce672449371d453a1239212fab

SHA512
7b963a4cbeab880460b0dbf930952bf6f66bf3fd6d27d6f35edb218fd7f2f0b75ced2e3e8408d354e1f8bc6cdd2c788ec995c0a7a2998aad575a5da2069a0ec3

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
5aac8f7ec656da1cfd9e56550cf8abdc

SHA1
57a94cb959763c388f3c53f1ec6c4428674e8813

SHA256
5181210197fa2f419a75786bb0d99328f69d3c610182d613d708441877aca797

SHA512
2e8d4e053a7b79c743ed9c5c3df4fc7d57ac7afcc2d55222a952af1a5fa41dd731e075ac47d2c005b0d346b6ddcaff5867ffadb07d7ef0b21522496567e7c343

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
5636fd144c165c7ad9d1a6effe5fe499

SHA1
d0eb7d9b706b3c975d5f36d057c4122f164c9e87

SHA256
6c0179de174be3b8fea0b50e28388a5b907a00632a36f493fc6d85ecfd18c961

SHA512
a8b2c28cc2f9ff03bd426f224408ec2d1d9fa36193ee20e65e97b458f48f5f84e651aebc3ca0c5730f37592de7ddec4324647ae75d5268ac09f6f7ab10494f48

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
b0de2fee19b462eb4c93faed82a6b8a2

SHA1
22a02278e2bb1ccdd8f254eff8a3a219ad196302

SHA256
8e0c347c5c9a04fff10d0b7dfa9744359af994f616e5af116f5c10760af0d1ee

SHA512
074ba724a9076841743ecc5f6b5ce39a1114b82545eac891fef140fb21f7f1f45acd85c92405fcc22c97e7d11f6c327bc8f84d8ed6cf85c7c18e34671bbb71b4

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
c0cf4bb798656907c963f52473bb7549

SHA1
4f7e39c8f44ae0df470a011ba80962d6ba04aa53

SHA256
5c0b1ee2396dfc4fb82b02fc108640c6aa54880e94b12956733d50927767b16e

SHA512
0572751009da19a782f8fec8d6181bb75377735fabeb3dde13f0a30524c69485f20b156ccb8253cde5890d9472e92d7cdc514bab130471eaaf1a894d7e913e0e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
b121e722a3adcd23f6884e7822c73680

SHA1
25ca49066010cce436f24d134f6435c1daba0038

SHA256
e42c304b53d4ef55f864bf33f6f7c758438f2ff765a4d7d9172875f0d5ce8334

SHA512
78b4e22b76b0e56b52b7e1af2a2df09d486b3d40e55281f17c5f6db1e9188afed2d778638b664037723ed096ad639ecea6201d569d39aaa8fbfd8fb7b84c8b10

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
08ed91099b16c9ede7436e24f97e3200

SHA1
3af738ce91c14801e81d3c37e465d119b2180c3d

SHA256
d81cc58f62aaae982c736b6ca0b3edaff81c6842c7911711cecc025d93c027ba

SHA512
c7a1d1c60660735def558c9731c84d7a5366731360065468d3615595aff11e9ce4754dce6a65c0af162709dd2b1edc90b300ddbfc6c93b49a8361d5e202a6c7d

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
a8e69164fce4e774d7aa461622ac3d1c

SHA1
7d9f9e16944353c731e56d9f19838a928e970a24

SHA256
ff1b7b84f63e365877b31e55cf8bc34a05c6d286f324d67f900285e4befd3580

SHA512
415219258525071087fc14328bccbf1c2b1ede58f2abcc38d99e05998db6c66c0af12ccca07b167dda2931b6704a653b373fdf936370a59d3c76d860b60b7088

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
7f17f5495ac22219411c74bacb8d65db

SHA1
50d6075adaac5216e5a5effccd899a479bbf73e9

SHA256
ce7b7ec7a629aeaad8722dfebb1ab8a82e2ef3ec5cb513dac373085d8ffa93f1

SHA512
dd1d076d28f9c8e5a10fa832fba1d2c903b07373e380c5ebdf766f7f9243caf75d0d1204a1bb28d1d02b8a0298a4fe0253bba43b842c9b54f7fb97d6878afeec

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
d3bfacd4402bfb396436b8c1ac7ac204

SHA1
42d4a342bb432a540518027dc15b8e788548d507

SHA256
5b5b9c7c675f1c6d5ed5c20e3136be2885d73098c8117ee662df1abfa26cf122

SHA512
e7e4dfff80102a81d75b13829298b5ca2fa4b198ddd61434ac4193d6cf1b58e3b153320d4831614b328882ec4b26752b350504d7d47fdfffd67f52d774b2f660

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
9fa1a9d360d619b65ecdf16c1bf2f182

SHA1
025c9edb3e6de0e64f0bdb110680cc2b74e5e0eb

SHA256
823569fefc9fd2192df18562d2e299269b118a6f6d4d7f1cc2b91824ea25dcf6

SHA512
5006b41663dba179ce6875e8f667602b8d29afc664bfb3d2d4abcae88042dbacd9a0a72e9b2b4233216600a93db5b09692f35f9c78abda12596447e9852debbd

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
e13bbe320f3e681f34a0a99c6f73c2d4

SHA1
9d7db538d9134b0e10aacc15558cadc5165e1328

SHA256
945cb680914e036380b9fcd23dfd746a4afcb7983972196c19adccb3798427d3

SHA512
9873125d0352a18ae6e8bd3b67f14d5a9c83c45fdd0fbc80eb321cd699c4a9f7686b77dc04e488d462a53b6d7d63b6ac2083494332eb63d6f6e707cb35f4e94a

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
6bb6498ea0c2adf88cbc26cef75a2fd6

SHA1
9e998729ab187825d0fd6195b1301ec2e47715e9

SHA256
d11b29644c0684115e2553fc70a6475e5c82459539e55edc1fc6d78b49d61a7a

SHA512
7d8558c2a90633ff742d369db0215277d9e4f36b175b7cddf81251faa853212916649efa00ece1364396529893c47cda762edb8b257058bf85234b4ecb495367

Download Submit
memory/316-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1684-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download