berbew | efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe
Size

96KB
MD5

2c9c890d1a609d51c1d10c2582392667
SHA1

504a8d92523dd0982c8f12b3c8e4e802bc0258ba
SHA256

efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a
SHA512

c56ea08768fc51ddb9414a6e325e55367f4b5d18e283ae94ec8b8fcafe2f0eb56e168d7a79a8ca72358eb87f4362cdf55674413fe6a75a4ce9e4a3b7ca26ac44
SSDEEP

1536:1hMHk6PmRlsAJEdU12qgnX15mFO7f5SbV+AlThQL5duV9jojTIvjrH:Lx6+R7JEdc2nmFWK+YK5d69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dfpgffpm.exeDeagdn32.exeBgcknmop.exePjjhbl32.exeAnadoi32.exeAfoeiklb.exeBnmcjg32.exeBmbplc32.exeCenahpha.exeDknpmdfc.exeAqkgpedc.exeBaicac32.exeDaconoae.exePcncpbmd.exeBjddphlq.exeCajlhqjp.exeDkifae32.exePjmehkqk.exeDjgjlelk.exeCffdpghg.exeDhhnpjmh.exeCndikf32.exeCmqmma32.exeDdakjkqi.exeAminee32.exeAjckij32.exePjhlml32.exePcbmka32.exeQqfmde32.exeQdbiedpa.exeAeiofcji.exeBjfaeh32.exeCeckcp32.exePqpgdfnp.exeBgehcmmm.exeCfbkeh32.exeDhfajjoj.exeBnhjohkb.exeQgqeappe.exeAjhddjfn.exeCfmajipb.exePqbdjfln.exeQjoankoi.exeBcebhoii.exeDdonekbl.exePqdqof32.exeQqijje32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Pqpgdfnp.exePcncpbmd.exePflplnlg.exePjhlml32.exePqbdjfln.exePgllfp32.exePjjhbl32.exePqdqof32.exePcbmka32.exePjmehkqk.exeQqfmde32.exeQdbiedpa.exeQgqeappe.exeQjoankoi.exeQqijje32.exeQgcbgo32.exeAqkgpedc.exeAjckij32.exeAeiofcji.exeAnadoi32.exeAqppkd32.exeAjhddjfn.exeAabmqd32.exeAfoeiklb.exeAminee32.exeAgoabn32.exeBnhjohkb.exeBcebhoii.exeBjokdipf.exeBaicac32.exeBgcknmop.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBapiabak.exeBcoenmao.exeCfmajipb.exeCndikf32.exeCenahpha.exeCfpnph32.exeCaebma32.exeCfbkeh32.exeCagobalc.exeCeckcp32.exeCnkplejl.exeCajlhqjp.exeCffdpghg.exeCmqmma32.exeDhfajjoj.exeDopigd32.exeDanecp32.exeDhhnpjmh.exeDjgjlelk.exeDaqbip32.exeDdonekbl.exeDkifae32.exeDaconoae.exeDdakjkqi.exeDfpgffpm.exe

pid	process
5088	Pqpgdfnp.exe
2388	Pcncpbmd.exe
3684	Pflplnlg.exe
5080	Pjhlml32.exe
2352	Pqbdjfln.exe
2808	Pgllfp32.exe
3820	Pjjhbl32.exe
2292	Pqdqof32.exe
4968	Pcbmka32.exe
4328	Pjmehkqk.exe
2880	Qqfmde32.exe
4488	Qdbiedpa.exe
2344	Qgqeappe.exe
5068	Qjoankoi.exe
3612	Qqijje32.exe
4128	Qgcbgo32.exe
2864	Aqkgpedc.exe
3496	Ajckij32.exe
4636	Aeiofcji.exe
3416	Anadoi32.exe
1900	Aqppkd32.exe
4116	Ajhddjfn.exe
3056	Aabmqd32.exe
444	Afoeiklb.exe
4700	Aminee32.exe
5048	Agoabn32.exe
2072	Bnhjohkb.exe
1892	Bcebhoii.exe
2004	Bjokdipf.exe
3212	Baicac32.exe
2316	Bgcknmop.exe
4440	Bnmcjg32.exe
2296	Beglgani.exe
2500	Bgehcmmm.exe
1600	Bjddphlq.exe
1528	Bmbplc32.exe
1404	Beihma32.exe
4944	Bhhdil32.exe
4816	Bjfaeh32.exe
1864	Bapiabak.exe
2312	Bcoenmao.exe
4516	Cfmajipb.exe
4168	Cndikf32.exe
2516	Cenahpha.exe
220	Cfpnph32.exe
4936	Caebma32.exe
2912	Cfbkeh32.exe
4152	Cagobalc.exe
2868	Ceckcp32.exe
2872	Cnkplejl.exe
2308	Cajlhqjp.exe
4668	Cffdpghg.exe
2648	Cmqmma32.exe
3032	Dhfajjoj.exe
2876	Dopigd32.exe
3308	Danecp32.exe
3328	Dhhnpjmh.exe
1660	Djgjlelk.exe
3044	Daqbip32.exe
3676	Ddonekbl.exe
1896	Dkifae32.exe
216	Daconoae.exe
4484	Ddakjkqi.exe
1492	Dfpgffpm.exe

Drops file in System32 directory 64 IoCs

Processes:

Qdbiedpa.exeAeiofcji.exeAqppkd32.exeBhhdil32.exeDhhnpjmh.exePqdqof32.exeBcebhoii.exeCfmajipb.exeAabmqd32.exeBjddphlq.exeDaconoae.exePgllfp32.exeQjoankoi.exeBgcknmop.exeCfbkeh32.exeCffdpghg.exeQgqeappe.exePqbdjfln.exePjjhbl32.exeAminee32.exeAgoabn32.exeCagobalc.exePqpgdfnp.exeAjckij32.exeAjhddjfn.exeBnmcjg32.exeCndikf32.exeCaebma32.exeDdonekbl.exePcbmka32.exeBgehcmmm.exeQgcbgo32.exeCnkplejl.exePjhlml32.exeBeglgani.exeBmbplc32.exeCajlhqjp.exeDkifae32.exePflplnlg.exeDeagdn32.exeQqijje32.exeCeckcp32.exeQqfmde32.exeAqkgpedc.exeAfoeiklb.exeBapiabak.exeDdakjkqi.exeDfpgffpm.exePjmehkqk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4260 3572 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
4260	3572	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cajlhqjp.exeCenahpha.exeDkifae32.exePflplnlg.exeQgqeappe.exeBjddphlq.exeBapiabak.exeBcoenmao.exeQqfmde32.exeBgehcmmm.exeBeihma32.exeDopigd32.exeQjoankoi.exeCeckcp32.exeBcebhoii.exeDaconoae.exeQdbiedpa.exeQgcbgo32.exeAfoeiklb.exeDaqbip32.exeDhocqigp.exeefdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exePcncpbmd.exeAjckij32.exeAabmqd32.exeCnkplejl.exeQqijje32.exeAnadoi32.exeBhhdil32.exeCffdpghg.exeDfpgffpm.exeDknpmdfc.exeDdakjkqi.exeBnhjohkb.exeBmbplc32.exeCaebma32.exeCmqmma32.exeDjgjlelk.exePqbdjfln.exePcbmka32.exeAqppkd32.exeAminee32.exeCfpnph32.exeBgcknmop.exeCndikf32.exeDhhnpjmh.exePqpgdfnp.exePgllfp32.exeAqkgpedc.exeAgoabn32.exeBjokdipf.exeDdonekbl.exeDeagdn32.exeDmllipeg.exePjhlml32.exeAeiofcji.exeBaicac32.exeCagobalc.exePjjhbl32.exePqdqof32.exeBnmcjg32.exeCfbkeh32.exeDhfajjoj.exeDanecp32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

Processes:

Bgcknmop.exeBapiabak.exeCaebma32.exeCnkplejl.exeDopigd32.exePjjhbl32.exeBcebhoii.exeBjokdipf.exeCffdpghg.exeAnadoi32.exeAfoeiklb.exeAgoabn32.exePjmehkqk.exeQqijje32.exeQgcbgo32.exeDdakjkqi.exeBjfaeh32.exeDkifae32.exeDeagdn32.exeDknpmdfc.exeBgehcmmm.exeBjddphlq.exeAqkgpedc.exeAqppkd32.exeCfpnph32.exeCagobalc.exeDhocqigp.exeBmbplc32.exeBhhdil32.exeDjgjlelk.exePjhlml32.exeQdbiedpa.exeAjckij32.exeBeihma32.exeDanecp32.exePcbmka32.exeDdonekbl.exePcncpbmd.exeCeckcp32.exeDhfajjoj.exeBaicac32.exeCfmajipb.exeefdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exePgllfp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exePqpgdfnp.exePcncpbmd.exePflplnlg.exePjhlml32.exePqbdjfln.exePgllfp32.exePjjhbl32.exePqdqof32.exePcbmka32.exePjmehkqk.exeQqfmde32.exeQdbiedpa.exeQgqeappe.exeQjoankoi.exeQqijje32.exeQgcbgo32.exeAqkgpedc.exeAjckij32.exeAeiofcji.exeAnadoi32.exeAqppkd32.exe

description	pid	process	target process
PID 4564 wrote to memory of 5088	4564	efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe	Pqpgdfnp.exe
PID 4564 wrote to memory of 5088	4564	efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe	Pqpgdfnp.exe
PID 4564 wrote to memory of 5088	4564	efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe	Pqpgdfnp.exe
PID 5088 wrote to memory of 2388	5088	Pqpgdfnp.exe	Pcncpbmd.exe
PID 5088 wrote to memory of 2388	5088	Pqpgdfnp.exe	Pcncpbmd.exe
PID 5088 wrote to memory of 2388	5088	Pqpgdfnp.exe	Pcncpbmd.exe
PID 2388 wrote to memory of 3684	2388	Pcncpbmd.exe	Pflplnlg.exe
PID 2388 wrote to memory of 3684	2388	Pcncpbmd.exe	Pflplnlg.exe
PID 2388 wrote to memory of 3684	2388	Pcncpbmd.exe	Pflplnlg.exe
PID 3684 wrote to memory of 5080	3684	Pflplnlg.exe	Pjhlml32.exe
PID 3684 wrote to memory of 5080	3684	Pflplnlg.exe	Pjhlml32.exe
PID 3684 wrote to memory of 5080	3684	Pflplnlg.exe	Pjhlml32.exe
PID 5080 wrote to memory of 2352	5080	Pjhlml32.exe	Pqbdjfln.exe
PID 5080 wrote to memory of 2352	5080	Pjhlml32.exe	Pqbdjfln.exe
PID 5080 wrote to memory of 2352	5080	Pjhlml32.exe	Pqbdjfln.exe
PID 2352 wrote to memory of 2808	2352	Pqbdjfln.exe	Pgllfp32.exe
PID 2352 wrote to memory of 2808	2352	Pqbdjfln.exe	Pgllfp32.exe
PID 2352 wrote to memory of 2808	2352	Pqbdjfln.exe	Pgllfp32.exe
PID 2808 wrote to memory of 3820	2808	Pgllfp32.exe	Pjjhbl32.exe
PID 2808 wrote to memory of 3820	2808	Pgllfp32.exe	Pjjhbl32.exe
PID 2808 wrote to memory of 3820	2808	Pgllfp32.exe	Pjjhbl32.exe
PID 3820 wrote to memory of 2292	3820	Pjjhbl32.exe	Pqdqof32.exe
PID 3820 wrote to memory of 2292	3820	Pjjhbl32.exe	Pqdqof32.exe
PID 3820 wrote to memory of 2292	3820	Pjjhbl32.exe	Pqdqof32.exe
PID 2292 wrote to memory of 4968	2292	Pqdqof32.exe	Pcbmka32.exe
PID 2292 wrote to memory of 4968	2292	Pqdqof32.exe	Pcbmka32.exe
PID 2292 wrote to memory of 4968	2292	Pqdqof32.exe	Pcbmka32.exe
PID 4968 wrote to memory of 4328	4968	Pcbmka32.exe	Pjmehkqk.exe
PID 4968 wrote to memory of 4328	4968	Pcbmka32.exe	Pjmehkqk.exe
PID 4968 wrote to memory of 4328	4968	Pcbmka32.exe	Pjmehkqk.exe
PID 4328 wrote to memory of 2880	4328	Pjmehkqk.exe	Qqfmde32.exe
PID 4328 wrote to memory of 2880	4328	Pjmehkqk.exe	Qqfmde32.exe
PID 4328 wrote to memory of 2880	4328	Pjmehkqk.exe	Qqfmde32.exe
PID 2880 wrote to memory of 4488	2880	Qqfmde32.exe	Qdbiedpa.exe
PID 2880 wrote to memory of 4488	2880	Qqfmde32.exe	Qdbiedpa.exe
PID 2880 wrote to memory of 4488	2880	Qqfmde32.exe	Qdbiedpa.exe
PID 4488 wrote to memory of 2344	4488	Qdbiedpa.exe	Qgqeappe.exe
PID 4488 wrote to memory of 2344	4488	Qdbiedpa.exe	Qgqeappe.exe
PID 4488 wrote to memory of 2344	4488	Qdbiedpa.exe	Qgqeappe.exe
PID 2344 wrote to memory of 5068	2344	Qgqeappe.exe	Qjoankoi.exe
PID 2344 wrote to memory of 5068	2344	Qgqeappe.exe	Qjoankoi.exe
PID 2344 wrote to memory of 5068	2344	Qgqeappe.exe	Qjoankoi.exe
PID 5068 wrote to memory of 3612	5068	Qjoankoi.exe	Qqijje32.exe
PID 5068 wrote to memory of 3612	5068	Qjoankoi.exe	Qqijje32.exe
PID 5068 wrote to memory of 3612	5068	Qjoankoi.exe	Qqijje32.exe
PID 3612 wrote to memory of 4128	3612	Qqijje32.exe	Qgcbgo32.exe
PID 3612 wrote to memory of 4128	3612	Qqijje32.exe	Qgcbgo32.exe
PID 3612 wrote to memory of 4128	3612	Qqijje32.exe	Qgcbgo32.exe
PID 4128 wrote to memory of 2864	4128	Qgcbgo32.exe	Aqkgpedc.exe
PID 4128 wrote to memory of 2864	4128	Qgcbgo32.exe	Aqkgpedc.exe
PID 4128 wrote to memory of 2864	4128	Qgcbgo32.exe	Aqkgpedc.exe
PID 2864 wrote to memory of 3496	2864	Aqkgpedc.exe	Ajckij32.exe
PID 2864 wrote to memory of 3496	2864	Aqkgpedc.exe	Ajckij32.exe
PID 2864 wrote to memory of 3496	2864	Aqkgpedc.exe	Ajckij32.exe
PID 3496 wrote to memory of 4636	3496	Ajckij32.exe	Aeiofcji.exe
PID 3496 wrote to memory of 4636	3496	Ajckij32.exe	Aeiofcji.exe
PID 3496 wrote to memory of 4636	3496	Ajckij32.exe	Aeiofcji.exe
PID 4636 wrote to memory of 3416	4636	Aeiofcji.exe	Anadoi32.exe
PID 4636 wrote to memory of 3416	4636	Aeiofcji.exe	Anadoi32.exe
PID 4636 wrote to memory of 3416	4636	Aeiofcji.exe	Anadoi32.exe
PID 3416 wrote to memory of 1900	3416	Anadoi32.exe	Aqppkd32.exe
PID 3416 wrote to memory of 1900	3416	Anadoi32.exe	Aqppkd32.exe
PID 3416 wrote to memory of 1900	3416	Anadoi32.exe	Aqppkd32.exe
PID 1900 wrote to memory of 4116	1900	Aqppkd32.exe	Ajhddjfn.exe

C:\Users\Admin\AppData\Local\Temp\efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe
"C:\Users\Admin\AppData\Local\Temp\efdddc66987e11bc6fb40557cefb855d703e19e703d8db59235d15e3b72a4b3a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\Pqpgdfnp.exe
  C:\Windows\system32\Pqpgdfnp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\Pcncpbmd.exe
    C:\Windows\system32\Pcncpbmd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\Pflplnlg.exe
      C:\Windows\system32\Pflplnlg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 212
        70⤵
        Program crash
        
        PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3572 -ip 3572
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
3d366faeb3d131e8cb51203df7f8cb02

SHA1
8e610b6bedde6f174c1fd437fdd7e76f667b6c49

SHA256
aa4eb87673bd16cd853cce7d736abda2a8d591c77a3192dc6c64d38cad66faef

SHA512
6f0ce0bde8dc143b5425af86a5014d36717df85b3236fcc4a01295372a0e9d6f20ee3dee99000d10c486b22c0c721f06b7e2423ca2127e28b4b0b144f364fa33

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
797d0d4c0e1b264dc2268c1669982e3a

SHA1
5c17e7cdb8b1af45d4e7e816928fcf7008237a95

SHA256
95e36d0737d0469348514b173acedce7aa43848bd44a9d15860efdbeae309833

SHA512
aa991a0341aa568960ff38dd631b0d6b92a675af332145edd605d2372dce6021b113a2082eca364b9ded7f323550557de52cb63f912be2f3f97f0f1c89d9f851

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
676c18010788ba63dc0116301663704c

SHA1
d4e04c7015172dd41b6c90701f6f4d603534838d

SHA256
db75ef6b5e589287e74c2cc4b9906b94c4c10528598595f846bcff161b03850d

SHA512
77b010adbf67fbf38e38ab0bb8f4a8a5fdc2218ae4b4b038150103ddc3b4735c549fde5d2379f93a23ec4726593259d2b1cf069f9377cc2bd74be0c5b293a087

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
e1a789b88a93d9997726c331cd43eaa6

SHA1
4424f8bf9671ddf468eae4a59bd14cbc76531a1d

SHA256
24b720fd77f359b4735bb395320cffcdb32cb76d198db9d36ca942fbd28bdc7f

SHA512
187d777e8d132a6eb79ffae4ad1c5eef1e980d17f8ee1ff2a18a3555fd61b850a89e087affae3165724b2105904a05f0f408367c075a7befa5ea915f897138c0

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
d29db79c2972a20658849ec67efb8c07

SHA1
663de18e5cbd2af1bfa3a8b321d2a1f94c34774f

SHA256
c02cee0b9e903e67f6ec43baa6099b16aec30926a3f26552f194b5c7818b9bb4

SHA512
3429df6517bd9fe49e846a68881d8de8bd5afc0b7ae718c68c72a4e22c1954f7b527fd01fe24af035e5f0f6156e964ab65fade05f71e635b77baddba8f3dd0f8

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
fcc4f353661cb455015eeb9b3f5e5e96

SHA1
44ee2791724ff5235d190f8e331b0b45746ae19c

SHA256
18cb26950f1a8445c8fe67380222c911d168bc9faa87abdccc954ffd78a2d13e

SHA512
a4b34746ae4d64f9a9b598ada5e6b88ca94d0cf68c61e8bc73059dfbe7d0b94087a3e72a49c770afc30587c45f1ef7312e0c64957c4be7efed8cec137c175354

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
c017e39f167aac87bdad393e5191e920

SHA1
5ed647ed5f539c404c4b76e710689c745803b447

SHA256
82b302d225d090417a913286ead8f8f20d242321eb5c9a003d326b0c676fec10

SHA512
2eeb818882974641b31abc0781d7ecf35fae941ce267eab05f8cb3358ebe60d50fdeee3aadf8c6a91c286125d360bef8e1923568cfc20d880d2a8bb3bd1c4e5e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
1fcf7ee630c18a118ebfe7a8eb07ab4a

SHA1
e1acab969f8818dd88f29929a02ced3d8e108f37

SHA256
74b36b5e25aef643bec439ac7520b9a47e4c11e7b3ad2457e47cdf9771f463d0

SHA512
7538e1ba19656bd1eacc64306b84e08ab2e0883246b7a06b55025bd274d1092b1ceb64990f55343e21a142e5c50a69fc213bacb5397992a9ffec07b0a5443d42

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
f15eccd437878c8318f2c6bba0c209d7

SHA1
11082e582fdbd20ea4e1ff04edae3d1151796909

SHA256
3423f3089a0ec5cd7c8f8b06e4a6a75ab52ba0183ef4d4cd848e5567b65c97ed

SHA512
cbb80c6162e6b71e60a9c6e068e1ca2b290db369664445bf6e6453a05558ee029ef54853473bf995c1ccc6a5bf7450c5ac951540198ad27f87ea6e70a4092201

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
c80500517a1f08b0d6f697484dd4c917

SHA1
8e1b19b5d067e8cb56a1a5d80b803c10c8284b39

SHA256
22c230543102a37655274417e765a95189f399db09817b4d7b80ddb14d828bb7

SHA512
e01243da421d98006a5196ab0b8c425c9e0a426d0def7034724fde09f435d649fbe8b489077413eaad0b2d966962e492669a5732ce0e23d2bc7ff04e711b7252

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
3caaa5fcf02c11debf6e33c6a8405d25

SHA1
c629f4e2f57a57e21bad18d30d33f7528b3cd80c

SHA256
f2edb508b0ab322caf14871cfaf5938f0273e908f18656fe9b17f27ee0680eae

SHA512
d5bdd4a3ffd284019fb4a98e410e2c608996f438639d7efe0d9abde6ee8369efa8975e7db2cc0c29e767ecabb7015c195c979062ec566b6d83e610db63bb117a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
0bb38749864ab3c561d03497fe3e818d

SHA1
58af62d8f4c43a001d70a93532592ea53c05c053

SHA256
6a4e1adfa63945da1733343fb7854774a0a16969d68e4981f33f9bf7ff3176f2

SHA512
c6dbb7940472699625dd20dcf8b4402a31742cf898e79a21d4bc0f799a47e12f99e4830945ad181c686dfba6c727a647f991341999de1a737f79f0525946ba8f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
eae5a3b4938ae7b416b8dd02b8e24671

SHA1
ee2e45a174b015739d32b2e9722189dba6b3a052

SHA256
b1cf2ed148bd62f06a5d37bbbabb4cfc082a6aa7ebeee18fb41848a767feb7a4

SHA512
ff9dfd04f73cc87ca64761d2916820663a5819d3c7a39be369c9275b9acc500a0e8fc20c230ff267621c775c90fa3168fe9837f7b62d2c786f2035975abea32a

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
bc494bd4ebb3b2dd01ed1d5ce5387629

SHA1
b771935fc97f0ae0f7343a497a5beecaf3930439

SHA256
2cd750dd3c55d38aff8ea7cb3854dc05fc895ce962ea4a402a69ff5981689c1e

SHA512
dfa480efa9f36ab55336b9b4a30c9877f0ba6156f8ec4f20132d8dd1ae7d59215c228c4fab4c6cada2c9d510d774381bee4fa2fc207e39adba0393d4cd688279

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
5a398bdf79bab9d1c525f542e5d4e7ce

SHA1
af94f248df51e305b397f10ae10c4627d65f123b

SHA256
1d3ca1c9d64071cb1cd3857ec9218992aff7b84e8e0838ef78528b5de0edd84b

SHA512
7b0a5e01f2f575b6b9f15e3d320996f60c4a770883eff37cf65060e15f7442152a8d4baac8d82806d05e4f7219837961428b34e35d9096aed8580d0435a2e067

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
3b486d3d491876d0f3f4fa4fe35c5087

SHA1
dd23f4bb7f4558e6616de0a6347dad9f9c42987e

SHA256
3e7e46008108608f6ff92732526a6a40cece678635c3cec7f4ef3f3907c1b111

SHA512
52b1af9cbcacedb4715c97b6f13fe9c658b268a8105a33832f635012cdaf1d3b9a8e7e42cc9f136553f3bf41a80dcff7b5d83aa01d78a2a4e28bd68ac4042137

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
ab11c544b0cdc4e40ac68eefc0ade163

SHA1
dfae863e9e01d23cc6127c328a1e010ee30afb7e

SHA256
905320b05d73334b08fe4580e2de88855dec28c6ff199553526047519d204b7c

SHA512
98969df2989dd310150fcc69699804c40b61afba5e18d301f170a0d04643301ca500bcfce216229d6009e3f47ff160f27bc4f6a33b021210e9cda3aab013b1c3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
6da71cdc2e323cb44e9a8ff568a83faf

SHA1
838d5f0263e23665c6fc6bf62af6fd01cc3879cc

SHA256
0bc91423c8eaa34bbffb356ace035429f9dd2383d97c9a0973a651c561eec201

SHA512
5f3ae5aa6673b51f62c6074a409f54a82bb089d68b55ae3326f54f371886aecde992a3d9e47a434dadda0d3edf30018457d42d78fd552c303427a63595f3c0b9

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
ccf45dbca955a73551997950dadb53c0

SHA1
b132e04f78b92ae641079bd07a735140580a6ce8

SHA256
0134dccfed09bf8c8659b2ecb6e1fc9c26275207b390164d1030e2ceea72317e

SHA512
1889cd663bf9a35fe4bb2b20720f9f909cb3513d40bd6d79815cdbaca9326de046d19b128f27cb1a6ea99d685cc8f2e9b3bfdb5c27f1bfe3bc1aa517e816613d

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
b7163be9eaa55a162069142f758471e1

SHA1
f5656a2c1f12dcdff8a93f068aaa91a646cdafa1

SHA256
46a6bad05310fe68530944ef49c29fcd173f8cb86572eb54d4ab55bd4cafc921

SHA512
cb9bb250548b0ea5236fc915c410ed1b10d02de97b925372dbe6f69c3f758692178840a811552183c86d9a9786a7194d4969f1178ec50bf59bb2464b96913a8a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
1ef0e62fca4b45bf40779bcff8791a7f

SHA1
a8fd31bbb3b14450f59c9b52886b8177c45a6942

SHA256
cff51fdead112c32601a04aa4d01693af3fe8660ac9372b4ede8cb604a2fb68e

SHA512
3aae2f406c01a804d1ce1c31f750c10694ae6705f5578564380c5abddea4c360a72d0a602982ff88a382cd5b71ba11b01cf1b3455d6e1ead2d84aea152089c98

Download Submit
C:\Windows\SysWOW64\Dbagnedl.dll

Filesize
7KB

MD5
eea2b32c7663839db2d3d82cccdd15b4

SHA1
396be90748ac92746687b9e8010b24112a559c4a

SHA256
067f88cfc5805e692798d25214566b9a2a3dc7f61f30fc72196fef8ce16df124

SHA512
5251023c2d0dca5a5aea3edb9c7947ed7a9912b9951198e796be742052c30cfce05ebb74444e1e5d6c6349920cd2ee96c093abec9b2874915a58d47f392dd009

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
ec079e680afb5d504ec2c2caa88f9a48

SHA1
d43d6b20dbe66cabeeb77017205c04c25d3d6d2c

SHA256
7cc8ee7049f71638b22301abe3c6329f74eda12a1705327c1a45128e089fec4f

SHA512
54dec92e260164d801e9333d04c51e79dbc7caaee8bac3e3e84cb0b5d7849eb9c91056d70cb4b5dd0b5097ac4e39f4acd4231455f79c68d4090c0b5e3afd64f7

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
66ce894f091f29b2e66e888285c5aa26

SHA1
e7a925ad8721cb140d8220939336f4abe682c803

SHA256
ba72ec59f9626e50c5be350003a0c292fa8b66a28c59bcfaf24c221e46753798

SHA512
b955776a8e54e930b496cb5c9c6fd9aa41b4e1395ec3ebe6fd7cd14bd1b80deb50825604f6964822de3d3be97977ce455947c65776d051e2cd3509f2f53f7f6a

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
a7a526acf2ab26ec65087c9b2d712c6f

SHA1
e5ffb66a47faf89f6b6de26e5534dbe92d8a9e14

SHA256
cfee6a2797dcb841dad53292632cff1ee1b128aad1ba9e097d6b12266cf69224

SHA512
181d2e8644f735e77585bf5bd0a2db6700e6cb05eeab258796f9d017aae3af0945be5836bef6953b20f05858ac1ae9c9386fe38bbf60b0b1894acdee5023ecab

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
2d3748346ada1dbf92c46b7cfdeefb89

SHA1
3cebc62e5a0fea11f24c2aa0d10fd78d0e140756

SHA256
a801c7996452e80549c9c8fbf90d6e1306b56818d359e7c1e3f2bf0534843e3f

SHA512
f90ed054666942b0a72a70586510c3aac92dc08d6237d0e803b1e4cd3633575123bb1e7e97dcfef9354dfe1d084bd896911d9942bbaf6d5696c855697f836b0e

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
1d263e888cd7681e46be63326dfe6b49

SHA1
c9ad53654d2089fd80d289c2bd34f185f637d32f

SHA256
b347e93f5c0f3e661784c6fc08d7e240b59c27e629d3c6656ebf68fa8e3ef3ac

SHA512
9c75757bd6bb445e8416a325f536cd8a78398a5708c095857a9b60b0cb5ff423874073ce2af5bfbcee6c79584e4c30481a4f269745b1ace054abc456af84d702

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
20dd7f1000bede54e00a8bab3b228515

SHA1
a14bae983bb83d8f8afdce52ae71e925e64ba31b

SHA256
38ca7621a450fb7b1e9e5a979da97e9e4bc7231ae507c18366b59f0834ab9c87

SHA512
d9e941839857fdf55c8262143e2b15f8d33de80b0d4ff1fd6831533bc95326c65bd2f02962089f42182c24c33039fce970e28b823df1eed302fbe42ffb64459f

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
434e3d30a373ecad40b67dbc47605166

SHA1
3dd71a77b7a7a4df5307ff08902121d0139d466d

SHA256
ed0cb162206e3cdd53dce96f34ec48a2455c6647084d22a378ef2d938b176d69

SHA512
c4936b32526458cba165ad0fe3921f516b7b8dd7863767b7233bc5834a27c062406bebe292aeb9b6d0f76c1a091d3e13918b8ac803754f776e3aa386a960cc84

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
a0615548c185cf6b6ffdf7880b4af96d

SHA1
8dfc34b89a5e7eaf9b006d93637b045e6067e40e

SHA256
724b433df7b1bc62c10fcce095777f0fdd665ff6e6fa85737c8ac95bf799d6e1

SHA512
6a2500b20e6bcbf7a8bbbac86c9e5381dd2bcf603d0025097a98c0d8a9c28531d07feb359f9f2e8dbeb369583a7db6fa9daea020e8d1bbcaa4666c953b975a31

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
2d6f9a366ddd390a2a0c0c74a75edd0f

SHA1
a18581473bcfbbaa87dc2fc98fb96e2138cea79d

SHA256
394aec998e4c1e40b22679f45dd1ce5007d4b75ca937a5329131a86bde2de635

SHA512
3708acf2a9e5d61df0f3c1985dd4779c40ea172a34f4ea58d4467f2372d6590c575530b71c3ea1a2df766cf80b0b9724d6bddbc478ea1e18bc40accf50b4f85e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
96KB

MD5
60c8d4c0568de7dc00162616ce719c35

SHA1
f8d8ffcb2546c81be768c1e00271d8da19312a09

SHA256
56a38f168f3d4486c8e2365ce735b62f17204d0170598e0662b5657f1887c423

SHA512
e5ee529cb7731169b4941499d7e981e79961563836e20c4374e2213293d29a0323898b6535f8212566f1eefbd2ea8a15442be7f418ca4e54f031d9e6e1bd361b

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
ec130cabea8b71a3d6298748a6694cef

SHA1
959ba1716d7be0db70ac90f8a3a64c363439a126

SHA256
ff61cc198cb61ba4a8d49504bd53c04653433040bd68604a218760ae31ecbe50

SHA512
a41a802ab428f99463bc9b4cf7be9b84e9c14e8b9f09203bd31d4a90fe91a7cb63c271385e6375c43214ea524ccab27846af8eaca0615adbd0b374ee18f4faa0

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
aced545e39b2b5a9bb9d077ab17f7162

SHA1
4e05095671d50d9191c68639cf620f97c0fb9652

SHA256
a854eccd2a8b6b8ce7ae260001186e10de18539fa39c8481a25e81c24784e6c6

SHA512
83b5d0655e0a76cf7f3c906a965babb1dd02abf5e4a9d8669562e8dbad4dbfc8b439c3a7ab26419ca475da4b9ab4f70d5002d030eef84da0c1bf965cb41a6ac6

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
57b61a0981d4219971292ad98075784d

SHA1
6ac55ded411ed63c062cf9bd208167d93a763532

SHA256
38ed93d8e673c971f610031c5b323d3e6c61102d67e4cb4458f4850ed8c1ecc0

SHA512
1fa46c30b045472645579b75e9435e1eaa8b5553dff024d62ddf763b80dd8427565f167485d2204b8d75da54ab7e2fd652043f0d4f0ca0b1254f4f2c0f8a91fd

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
639a48cdce961175f3b02579288b5bc0

SHA1
7663d8786c2648f812227780a99faa1e470d6ce6

SHA256
201fa996807efe078e368a9b1b2660cf17a9b8135557a5f86219fb2e92b41210

SHA512
a08f3fb793e5738d340de127adcb385b3ff426b579b2c7086a6c2011517957a5c925ea97aaf8ea26206b32eed897e1fe03f48b9c7fde90e0b2f4ac1658d05675

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
ad1f4a5b7eeba67788261781c6bb44d5

SHA1
c046b3425d54095e996d7833d2577837b683b2e5

SHA256
d2ffc8389d296255213717c7a2b48efda9a27ff0e583e62476c4cfefc21896d3

SHA512
2728766acc37c690662aa7ba571e9869fe07795a60a84e59eee6094c8c59be1207b25b6b74f348a5d4305d9ed6718012a04475ca38470238f35104d0fdf9077d

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
6feb1ac7863a1680b7bcbe1ba23a7867

SHA1
6e635caf6c315d0cde2880fc15ecfea3369084a8

SHA256
fc7139a93218c04bcda942f711ceae60b37a2f19ad0d95433a5fced816c9b33f

SHA512
c508ace2ec3af16334f9a5c80f9a3f2239fdb558c98a3334b031fa3eb85e639a7ff0e0ea2333c60f9cb3334ed87073646d406b5abeebc8dc95edf1809f5b0851

Download Submit
memory/216-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/216-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/220-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/220-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/444-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1436-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1436-475-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-476-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-480-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-486-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-489-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-492-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-491-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-494-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-487-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3416-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3496-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-481-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-493-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-498-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-499-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4668-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4668-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4700-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download