berbew | 533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe
Size

232KB
MD5

b6f413ca78a81c19c0d03b2d94de1890
SHA1

b9e8b5f91d59fd52c2b1cbde32422f0919c9216c
SHA256

533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27
SHA512

d75ee0631908ff8e539ee1647ddfb08ced71f645d294a56dd0c48f62093c2d613b855b319b2fa3b6e6d09a035b29a762b84ebbdb3b1673421e608c20a5f1524b
SSDEEP

3072:t5NNfTKy7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPadOF:vNNfTKy6s21L7/s50z/Wa3/PNlPX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Agglboim.exeCjinkg32.exeQjoankoi.exeAmpkof32.exeAmgapeea.exeBmngqdpj.exeCffdpghg.exeDaekdooc.exeBebblb32.exeBjokdipf.exeDdonekbl.exePclgkb32.exeOcgmpccl.exeQqijje32.exeCnicfe32.exeOlmeci32.exePgnilpah.exeQffbbldm.exeAcjclpcf.exeAeklkchg.exeBeihma32.exeBfkedibe.exeOgpmjb32.exeQceiaa32.exeAfmhck32.exeCmiflbel.exePjhlml32.exeAjfhnjhq.exeBmemac32.exeCdhhdlid.exeDhfajjoj.exeDeokon32.exeDogogcpo.exePgefeajb.exeBnmcjg32.exeCmgjgcgo.exeAnfmjhmd.exeBeglgani.exeBelebq32.exeDobfld32.exeAcqimo32.exeBnpppgdj.exeCajlhqjp.exePcppfaka.exeCmlcbbcj.exeCegdnopg.exeDodbbdbb.exeBclhhnca.exeDmefhako.exeAmbgef32.exeBganhm32.exeBfhhoi32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Olkhmi32.exeOgpmjb32.exeOlmeci32.exeOcgmpccl.exeOjaelm32.exePqknig32.exePgefeajb.exePmannhhj.exePclgkb32.exePjeoglgc.exePdkcde32.exePjhlml32.exePcppfaka.exePqdqof32.exePgnilpah.exeQmkadgpo.exeQceiaa32.exeQjoankoi.exeQqijje32.exeQffbbldm.exeAmpkof32.exeAcjclpcf.exeAmbgef32.exeAgglboim.exeAjfhnjhq.exeAeklkchg.exeAfmhck32.exeAmgapeea.exeAcqimo32.exeAnfmjhmd.exeAccfbokl.exeBnhjohkb.exeBebblb32.exeBganhm32.exeBjokdipf.exeBmngqdpj.exeBeeoaapl.exeBffkij32.exeBnmcjg32.exeBeglgani.exeBfhhoi32.exeBnpppgdj.exeBeihma32.exeBclhhnca.exeBfkedibe.exeBmemac32.exeBelebq32.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exeCabfga32.exeChmndlge.exeCnffqf32.exeCmiflbel.exeCdcoim32.exeCnicfe32.exeCmlcbbcj.exeCdfkolkf.exeCfdhkhjj.exeCmnpgb32.exeCajlhqjp.exeCdhhdlid.exeCffdpghg.exeCnnlaehj.exe

pid	process
2740	Olkhmi32.exe
4876	Ogpmjb32.exe
548	Olmeci32.exe
1004	Ocgmpccl.exe
1092	Ojaelm32.exe
3016	Pqknig32.exe
3420	Pgefeajb.exe
2684	Pmannhhj.exe
4268	Pclgkb32.exe
4668	Pjeoglgc.exe
3044	Pdkcde32.exe
4896	Pjhlml32.exe
2512	Pcppfaka.exe
4396	Pqdqof32.exe
2628	Pgnilpah.exe
4516	Qmkadgpo.exe
4776	Qceiaa32.exe
1352	Qjoankoi.exe
4752	Qqijje32.exe
1028	Qffbbldm.exe
732	Ampkof32.exe
376	Acjclpcf.exe
2044	Ambgef32.exe
3880	Agglboim.exe
2920	Ajfhnjhq.exe
2108	Aeklkchg.exe
996	Afmhck32.exe
3052	Amgapeea.exe
4696	Acqimo32.exe
4212	Anfmjhmd.exe
3056	Accfbokl.exe
4376	Bnhjohkb.exe
3248	Bebblb32.exe
4100	Bganhm32.exe
3636	Bjokdipf.exe
4940	Bmngqdpj.exe
428	Beeoaapl.exe
992	Bffkij32.exe
888	Bnmcjg32.exe
5008	Beglgani.exe
1336	Bfhhoi32.exe
820	Bnpppgdj.exe
2972	Beihma32.exe
4000	Bclhhnca.exe
3484	Bfkedibe.exe
5064	Bmemac32.exe
3480	Belebq32.exe
3980	Chjaol32.exe
2516	Cjinkg32.exe
1288	Cmgjgcgo.exe
2704	Cabfga32.exe
1540	Chmndlge.exe
4872	Cnffqf32.exe
1428	Cmiflbel.exe
2724	Cdcoim32.exe
3816	Cnicfe32.exe
4200	Cmlcbbcj.exe
4540	Cdfkolkf.exe
4964	Cfdhkhjj.exe
4572	Cmnpgb32.exe
4264	Cajlhqjp.exe
5112	Cdhhdlid.exe
1628	Cffdpghg.exe
1420	Cnnlaehj.exe

Drops file in System32 directory 64 IoCs

Processes:

Cmgjgcgo.exeBeeoaapl.exeDeagdn32.exeBebblb32.exeBelebq32.exeDmefhako.exeCnnlaehj.exeDodbbdbb.exeOgpmjb32.exeQqijje32.exeAnfmjhmd.exeCegdnopg.exePqknig32.exeQceiaa32.exeAfmhck32.exeBmngqdpj.exeAmpkof32.exeDjdmffnn.exeDaekdooc.exeOjaelm32.exePjhlml32.exeCdcoim32.exeQmkadgpo.exeOcgmpccl.exeBganhm32.exeBjokdipf.exeBfhhoi32.exeDogogcpo.exePqdqof32.exeAgglboim.exeBnpppgdj.exeBclhhnca.exeCmiflbel.exePgefeajb.exeQjoankoi.exeCabfga32.exeCdhhdlid.exeOlmeci32.exeAcqimo32.exeCffdpghg.exeCmlcbbcj.exePcppfaka.exeAmbgef32.exeAmgapeea.exeDhfajjoj.exeDobfld32.exeChmndlge.exeCajlhqjp.exeDhhnpjmh.exeDfpgffpm.exePmannhhj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Anfmjhmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1504 4004 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
1504	4004	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Qjoankoi.exeAeklkchg.exeBclhhnca.exeCdhhdlid.exeDfnjafap.exeOjaelm32.exePmannhhj.exeCdcoim32.exeBnpppgdj.exeBelebq32.exeBebblb32.exeBeglgani.exeBeihma32.exeBmemac32.exeDfpgffpm.exePgnilpah.exeQffbbldm.exeBnhjohkb.exe533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exePjhlml32.exeBfhhoi32.exeDjdmffnn.exeDmefhako.exePgefeajb.exeBmngqdpj.exeBeeoaapl.exeCmgjgcgo.exeCmiflbel.exeDmcibama.exeQceiaa32.exeAfmhck32.exeBffkij32.exeCabfga32.exeCmnpgb32.exeCffdpghg.exeOcgmpccl.exePqdqof32.exeCdfkolkf.exeQmkadgpo.exeBfkedibe.exeBganhm32.exeCnffqf32.exeDobfld32.exeDdonekbl.exeDeagdn32.exeAcjclpcf.exeAmbgef32.exeBnmcjg32.exeCnicfe32.exeAcqimo32.exeChjaol32.exeCegdnopg.exeDhfajjoj.exeDejacond.exeOlkhmi32.exeAjfhnjhq.exeCnnlaehj.exeDogogcpo.exePclgkb32.exePcppfaka.exeAmgapeea.exeBjokdipf.exeCmlcbbcj.exeCfdhkhjj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe

Modifies registry class 64 IoCs

Processes:

Beeoaapl.exeCdcoim32.exeDhhnpjmh.exeOcgmpccl.exeCnnlaehj.exeAcqimo32.exeOlmeci32.exeAmbgef32.exeBnpppgdj.exeCfdhkhjj.exe533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exeBelebq32.exeAmpkof32.exePgnilpah.exeQqijje32.exeAgglboim.exeBjokdipf.exeBeglgani.exeCnffqf32.exeCdhhdlid.exeAnfmjhmd.exeBganhm32.exeBclhhnca.exeCmgjgcgo.exePjhlml32.exeBmngqdpj.exeCmnpgb32.exeBmemac32.exeCmiflbel.exeDhmgki32.exeDeagdn32.exeBfhhoi32.exeBnmcjg32.exeDjdmffnn.exeQceiaa32.exeCajlhqjp.exePcppfaka.exePqdqof32.exeCegdnopg.exeDmefhako.exeDodbbdbb.exeDfpgffpm.exePdkcde32.exePclgkb32.exeAcjclpcf.exeBeihma32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exeOlkhmi32.exeOgpmjb32.exeOlmeci32.exeOcgmpccl.exeOjaelm32.exePqknig32.exePgefeajb.exePmannhhj.exePclgkb32.exePjeoglgc.exePdkcde32.exePjhlml32.exePcppfaka.exePqdqof32.exePgnilpah.exeQmkadgpo.exeQceiaa32.exeQjoankoi.exeQqijje32.exeQffbbldm.exeAmpkof32.exe

description	pid	process	target process
PID 2324 wrote to memory of 2740	2324	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe	Olkhmi32.exe
PID 2324 wrote to memory of 2740	2324	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe	Olkhmi32.exe
PID 2324 wrote to memory of 2740	2324	533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe	Olkhmi32.exe
PID 2740 wrote to memory of 4876	2740	Olkhmi32.exe	Ogpmjb32.exe
PID 2740 wrote to memory of 4876	2740	Olkhmi32.exe	Ogpmjb32.exe
PID 2740 wrote to memory of 4876	2740	Olkhmi32.exe	Ogpmjb32.exe
PID 4876 wrote to memory of 548	4876	Ogpmjb32.exe	Olmeci32.exe
PID 4876 wrote to memory of 548	4876	Ogpmjb32.exe	Olmeci32.exe
PID 4876 wrote to memory of 548	4876	Ogpmjb32.exe	Olmeci32.exe
PID 548 wrote to memory of 1004	548	Olmeci32.exe	Ocgmpccl.exe
PID 548 wrote to memory of 1004	548	Olmeci32.exe	Ocgmpccl.exe
PID 548 wrote to memory of 1004	548	Olmeci32.exe	Ocgmpccl.exe
PID 1004 wrote to memory of 1092	1004	Ocgmpccl.exe	Ojaelm32.exe
PID 1004 wrote to memory of 1092	1004	Ocgmpccl.exe	Ojaelm32.exe
PID 1004 wrote to memory of 1092	1004	Ocgmpccl.exe	Ojaelm32.exe
PID 1092 wrote to memory of 3016	1092	Ojaelm32.exe	Pqknig32.exe
PID 1092 wrote to memory of 3016	1092	Ojaelm32.exe	Pqknig32.exe
PID 1092 wrote to memory of 3016	1092	Ojaelm32.exe	Pqknig32.exe
PID 3016 wrote to memory of 3420	3016	Pqknig32.exe	Pgefeajb.exe
PID 3016 wrote to memory of 3420	3016	Pqknig32.exe	Pgefeajb.exe
PID 3016 wrote to memory of 3420	3016	Pqknig32.exe	Pgefeajb.exe
PID 3420 wrote to memory of 2684	3420	Pgefeajb.exe	Pmannhhj.exe
PID 3420 wrote to memory of 2684	3420	Pgefeajb.exe	Pmannhhj.exe
PID 3420 wrote to memory of 2684	3420	Pgefeajb.exe	Pmannhhj.exe
PID 2684 wrote to memory of 4268	2684	Pmannhhj.exe	Pclgkb32.exe
PID 2684 wrote to memory of 4268	2684	Pmannhhj.exe	Pclgkb32.exe
PID 2684 wrote to memory of 4268	2684	Pmannhhj.exe	Pclgkb32.exe
PID 4268 wrote to memory of 4668	4268	Pclgkb32.exe	Pjeoglgc.exe
PID 4268 wrote to memory of 4668	4268	Pclgkb32.exe	Pjeoglgc.exe
PID 4268 wrote to memory of 4668	4268	Pclgkb32.exe	Pjeoglgc.exe
PID 4668 wrote to memory of 3044	4668	Pjeoglgc.exe	Pdkcde32.exe
PID 4668 wrote to memory of 3044	4668	Pjeoglgc.exe	Pdkcde32.exe
PID 4668 wrote to memory of 3044	4668	Pjeoglgc.exe	Pdkcde32.exe
PID 3044 wrote to memory of 4896	3044	Pdkcde32.exe	Pjhlml32.exe
PID 3044 wrote to memory of 4896	3044	Pdkcde32.exe	Pjhlml32.exe
PID 3044 wrote to memory of 4896	3044	Pdkcde32.exe	Pjhlml32.exe
PID 4896 wrote to memory of 2512	4896	Pjhlml32.exe	Pcppfaka.exe
PID 4896 wrote to memory of 2512	4896	Pjhlml32.exe	Pcppfaka.exe
PID 4896 wrote to memory of 2512	4896	Pjhlml32.exe	Pcppfaka.exe
PID 2512 wrote to memory of 4396	2512	Pcppfaka.exe	Pqdqof32.exe
PID 2512 wrote to memory of 4396	2512	Pcppfaka.exe	Pqdqof32.exe
PID 2512 wrote to memory of 4396	2512	Pcppfaka.exe	Pqdqof32.exe
PID 4396 wrote to memory of 2628	4396	Pqdqof32.exe	Pgnilpah.exe
PID 4396 wrote to memory of 2628	4396	Pqdqof32.exe	Pgnilpah.exe
PID 4396 wrote to memory of 2628	4396	Pqdqof32.exe	Pgnilpah.exe
PID 2628 wrote to memory of 4516	2628	Pgnilpah.exe	Qmkadgpo.exe
PID 2628 wrote to memory of 4516	2628	Pgnilpah.exe	Qmkadgpo.exe
PID 2628 wrote to memory of 4516	2628	Pgnilpah.exe	Qmkadgpo.exe
PID 4516 wrote to memory of 4776	4516	Qmkadgpo.exe	Qceiaa32.exe
PID 4516 wrote to memory of 4776	4516	Qmkadgpo.exe	Qceiaa32.exe
PID 4516 wrote to memory of 4776	4516	Qmkadgpo.exe	Qceiaa32.exe
PID 4776 wrote to memory of 1352	4776	Qceiaa32.exe	Qjoankoi.exe
PID 4776 wrote to memory of 1352	4776	Qceiaa32.exe	Qjoankoi.exe
PID 4776 wrote to memory of 1352	4776	Qceiaa32.exe	Qjoankoi.exe
PID 1352 wrote to memory of 4752	1352	Qjoankoi.exe	Qqijje32.exe
PID 1352 wrote to memory of 4752	1352	Qjoankoi.exe	Qqijje32.exe
PID 1352 wrote to memory of 4752	1352	Qjoankoi.exe	Qqijje32.exe
PID 4752 wrote to memory of 1028	4752	Qqijje32.exe	Qffbbldm.exe
PID 4752 wrote to memory of 1028	4752	Qqijje32.exe	Qffbbldm.exe
PID 4752 wrote to memory of 1028	4752	Qqijje32.exe	Qffbbldm.exe
PID 1028 wrote to memory of 732	1028	Qffbbldm.exe	Ampkof32.exe
PID 1028 wrote to memory of 732	1028	Qffbbldm.exe	Ampkof32.exe
PID 1028 wrote to memory of 732	1028	Qffbbldm.exe	Ampkof32.exe
PID 732 wrote to memory of 376	732	Ampkof32.exe	Acjclpcf.exe

C:\Users\Admin\AppData\Local\Temp\533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe
"C:\Users\Admin\AppData\Local\Temp\533df45f81a942c8dc2c8fd11b0f8fc37eed0d476faf414e27132a1a0e019a27N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Ogpmjb32.exe
    C:\Windows\system32\Ogpmjb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\Olmeci32.exe
      C:\Windows\system32\Olmeci32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        32⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:952
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        78⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        83⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 228
        84⤵
        Program crash
        
        PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4004 -ip 4004
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
232KB

MD5
b804e1f8e71d9bc24ad864dcd8039cb6

SHA1
de40af2cd137f031a2a3c02b142d659d71669237

SHA256
49658adfbaf0940d209e98dd89fd86a54d79279fc0bf46b40074c517ebe70b08

SHA512
fa9547621dc5cba2369f27cc30774a4efd77a255330c2e40805ccc6b97237fd25ccddceadb6497f6cb405ab94f44e38003f9acaa0cef226399e9249d1ce9057d

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
232KB

MD5
a5aed81feb77cdf71b464a5ca0a25241

SHA1
bb3ef8e8808126dc6733b1c6fe1b1422bf9b9bcd

SHA256
c85e25673d063422d41952285ef15293bcbcdc18823e68ce715f42b7aaf88694

SHA512
b6e7ddde7845ba4b66667901408cd89f2dbd33d91f235161b62ce70a6fea016a0fefd177f713e83afd9911ea4d84900ac41967f40c0b6d2f9fa31ce6d61a1e03

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
232KB

MD5
0abbddc84eb3178403e755f50d4c2dde

SHA1
95b6edf21e2dba44b4a6c06d7d5fff863ad7c8d1

SHA256
33fcc7dbb6a4216cb6b548f6d38af283d1fa1ebacc01329f2df555be3028aa64

SHA512
d68dcabf41e60506bf956ea7b4c1dd8c4361328134d049b332a24676912e852f5ed36376bfb6477c463e88e4c60b32291a7e7b93602c8ed483b10629f6273c35

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
232KB

MD5
1a213881ced68e8b70b7cd85d84a4732

SHA1
a37778756c7595ce5c052ab271df784b5ee26e36

SHA256
b0ab42a8e7a8674f595a1225e67f95c952a64839d6fb5d16c51a8c6966bac599

SHA512
0de8c3b8157421ddf7b9a699347d289e979922e175559a0878bc7d8808ccd7cfdd002153e3326b03909ecf4dcc74b9f83e8439c2c546bd9d7ef31763d293bd52

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
232KB

MD5
8a44cab647e52bf4414f021f693513a2

SHA1
727669bea00e9508f3377e0d1d7c038179447337

SHA256
cf7c8e08fd468e8bfadeb7d95d2d7bb7f82b4c5f248d64859f32b9aef1f9bbe2

SHA512
638f1e0b3179cd197b56a7a5a8575e71a49d1487e3a36bff4316d2bed5e8d66ae7e6d576d2405a04e2cd9ff1cb53ba89bb987f36b70254df40ada47b46c94b05

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
232KB

MD5
332b4ad0d61d997a22d0e920402394da

SHA1
abfc36fef03e8ebfd21b4386e7afc0d2b02f47e8

SHA256
7095bb4d3178f1cfe7d7d4c64e8695fa0b698b5eddf7aaf940f639ae5517d778

SHA512
41eb691a36cc884705e16e34e76ce4f875100aef27ac65a6033b420262d10e0ae73d6ef9283bcce81223e858bab08cc3fb8c05c114b39aec8dd160e44109359f

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
232KB

MD5
e0b49ec5a6fa6c9eeea3e94749730860

SHA1
4b0c9c3f6c742df8f2951a59d22ca2b77c12c730

SHA256
9d25c12b1d39a774e58c9832b9b81deb3298e70d48c25a5f294b2c4eabfbb575

SHA512
ed855bf7ee0c0025e800cff923e4139c175eeada7ee762beacf87341b92d614b851ba860bad4503b2716f6dd22da3c49a2931cb2035d821c059a9b06d713518b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
232KB

MD5
5c12d06cb786a3be966060f8d01b1796

SHA1
b4f005185cd7a1cd5c14278d5fe1f3518bf31db8

SHA256
01d2c77e0ac092145a14804f8de81c7642bd0b8cb3c0628d386e6cadaba39bdb

SHA512
d4d6015adecada994e3bc482ae8f1bd059d318ce338e86acede739a8284a7dde417cff294ff044bda5e925868f798bb00ff5f2d5cf8837be3357efa0982792fd

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
232KB

MD5
42456cd337456c400a0ef9ce69492af2

SHA1
525803bfc24d454932cb4b684e5cf5494b685d73

SHA256
466f62da6b4c2701a9a27b8047e3e911ff627105967bd8d85d830426d46aaada

SHA512
84cc9e813af5bfae15e81e168accca3f42e9b07431a96a5814551867bb36b3b5f88c84f1c2ea5538081538e9e7f3068c487b516628931202b43de3e879ad8afc

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
232KB

MD5
567e5996bf5f79b051df78780b9b9ddc

SHA1
181c7ea8cd381cfef8f74da345b89068238ab0c7

SHA256
22238b2b6f68812c113852a3cc3955cad817595213ac6969b99c0bbe85fdd23e

SHA512
4668733dac6bb75ac4144d0044d9b81a9e9832f8f96ce6dddcab2b2eb266396c7e6b449583d87884dbfdf701ca7b13855a085b5e9c78c27c6a2a0ae2e87a9568

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
232KB

MD5
af04c60f01d9c018429ffd1f18868607

SHA1
bdfed850b5d7f82f8728713a205a45fbb395e8fb

SHA256
7a34a9bdebd3d7e14b9adbb1728a32f5b7b6ef8c9a90e3a4fe5f0e34990d0d6b

SHA512
1ace08977d1d2743b55f665280618e19fdc46c441035b864b5682441735f621fae511fa00b4853b3f341dd449e2c73bda3480e475976b1d8e97d5eb04eadc6f6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
232KB

MD5
adf705f8f159fd3218ef415855b90451

SHA1
91d8a1b7006b3df1dbbff4c6759ed1a44e357ec1

SHA256
68039e461dae4be2931549eecf3e15b8d180309c7ee6b8e79cbc3478b8e47897

SHA512
b2ad1b119696f785e5e4af7645ba94e22244acce551f58813bddf8531e47b0aba4e0227ed563247dee9091afbcf412af144831dcc3e9840014ae0b2b12df0987

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
128KB

MD5
f8fe88508631acc3ea8dbe2eafa2bfb9

SHA1
0c12edf8ce8b47f10d8808ba15736386fa805a0e

SHA256
c9955d06899da3e4ac3e157cac69e677386959bf3d5f7c80d5193dc5bbade4ff

SHA512
2c52712daa7420905b25754373057bafe90609b245601abb17fabc1403aaa7d1ce4c3f81b25e408750eb2f58da0b3834db5e45e09c5c75f33be4978f28cc9523

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
232KB

MD5
3b0eb10d76a39a9ac3db7ccc8f159691

SHA1
fb21cab57f38ce00eae5dc7d157cb1912e43e31f

SHA256
ae04b1aff2a12e312eb260252397afb726154118bb172451cf4444b86a6cc64e

SHA512
00b20473bd7b432f952b6b4d287469cde3c27bbf5c670922dc4ca3cfae781b023dbc54414a742c3f3661a143f38aa0c700226b6e8880c23bd3a468b52c05a602

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
232KB

MD5
d294c2b99ba17b3775a4d273a3ff849c

SHA1
65ced8e44b1d0120ae07a76fbf5d11156bed6c58

SHA256
c1dec63b1210045c3aa0cfa95107cbe6ec3b827e353bd090ed22a0a813199939

SHA512
1e9e23f2b0c26f9c417b3b21080bbb6fa5a597039bf042d0a8ed5dc1421bf6b157cc49c2227f211d3675ef8634fdcad93939f6917ea7d4ef5c523ca9ff6699a2

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
232KB

MD5
e1cd1845610bc2c216a990704f741527

SHA1
a443bc46dda5acb8117e41e9ad7cef78a98a3cb7

SHA256
0da49f3640877ae78ce67503db83300b8d8c47b04b71ae54b373edd88a4b7062

SHA512
4a965cbb1117a74dc009404d8c1ef495745eff53d7aed21ec6aa3ea8cdfcd67e66394e8481c832be80e9703199a62f059ba8bdf530d1dcfed5bcb013d5d51dbc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
232KB

MD5
230755af892ad91b424004dc1dd59ec0

SHA1
9961556f4699ab216ca301dd0e671579981696cc

SHA256
bbd7b0ceff7d5a72c2e10ff40a47b610569d834c03dd3078a2aee46ba2d51500

SHA512
0dbcf7b63388cc4c7b1ab8445a374094cc342c964be81105bfeb756af8f416b3b12834d8f02d9b09ef781fd650403880a11f30464dc541f8521dabe91c93e2b7

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
232KB

MD5
b44a9c778fc00fb1c8c25af458eaacb7

SHA1
718204be286afe1451c5f4e39ecc1efe03140af7

SHA256
194cda7fb2791c903ecc091bffae716a6cc19050a4751518ff26a12ad974fa21

SHA512
30fa304ca80e30e3664bf36797ca5553c9cdd878850dbf75ba33e20c15214e2c34c454cd0711fb04075af3a8e23b90c8ddf1421d3106ee6f4197a37d18ebb9ac

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
232KB

MD5
b1d5456d468833452a232a1d64b9f727

SHA1
5aef3142c3b18e68cb1483af321834c26b97688b

SHA256
c61a3ec4aea5f0c0a4a07479c5bd03478dbb9d9e0bbed6ab6a1ad32045734bac

SHA512
d2d7926c475eee0b4fd4eb57e3c46a1a7d50fe58cd85fdc4f581867d5d4d88579e2c5c947f76e855ee926914b1e7ebe4795a07f5dfc8620f7e8564869c478ebc

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
232KB

MD5
d8372f73bec16b534829b243d4d2c281

SHA1
439e412563bc90a397251a9b88dd9713c10397ec

SHA256
41d700adc2113f82eecf4e1708543f5b2be2eb9f3f7c8b3e095cee6fb4fdf1a1

SHA512
1ddd29830c571ee6f88b17a57d5645d6a4ae4bc6e90b58a357c65afd98e2b54896056438af45b80ae5d4d245ba680a183c6a3454b2996a65ec22994b0714ee60

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
232KB

MD5
89116a77d4e671d2d3c72ced02e4e819

SHA1
913d469b61a411810394b1c2033d5b2db77b4453

SHA256
c098b2ed51559384ba5176832e04c9aa1d4c344eefdfcef5f212f9b8e63da145

SHA512
05f307ed6354899743c331a94fea73c97098ede62e5e4bdbca5ebea41b77105f12710b1d8ea7addb3d3675b842e4091d4f80f73b8cd6fd187e27fa07034aff32

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
232KB

MD5
ecf4f724539483cf0d60676728f45567

SHA1
447e951e66b9195a2f429f0522b1981749fc5ebc

SHA256
731f86b6ef920a8ac655ff2a192daaf6b512700d169550a12583b140e77dd0ca

SHA512
15ca63de37e548b9c9697599c7b097a16be9eb67fe8ea544b015b003d9ed0702a6e12e80dc070ce51a7d43468d263fef4ab41cbb6699c9af4781a4f1c55e2577

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
232KB

MD5
da658bfaa78d0d6f43d3ff93c465570f

SHA1
b393490a769ab0d6bce805bc1e984b2e7ee3b21a

SHA256
c7d65442c8959d531d02ddb6176330d1ff1d49b4e74d995dc07f083a01227eb2

SHA512
1c65d6106b26bffa3b43e4d4dcc9323ea5356c4726f4c10e137132a3f8b2d5b08cc8b91f1fdf8456c8b2b2906ec6102efbe786cca20d8cc218537dcab83d0b0d

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
232KB

MD5
b124de59bccdac0d95257e9a8e52ace9

SHA1
2300bf3c78687c2ae96e699f42894c7bcd774c05

SHA256
64daa81627d2ed4de78abc18abf4378410f23b30da0859b1225907b28c5f5907

SHA512
9c6c2cc88d5c4afd4b93598e7ab656a8ae17518faebb693bb79a78eeff30040d652d7470c540655d203d351638762c921814f16ea8f924f40245169d5a6d5906

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
232KB

MD5
d97960359aa75f8afa8816896f8f656c

SHA1
5bff097dd2960794f8526a84ece343708e85be78

SHA256
05509d370216aa22a99b58766ce16dc0c7ead3efd5161fc1dc4e9fd3fb07fc40

SHA512
3dc5b2105e37faf6e43c323390c74fc4f501b86186a5d377e265d3407e4658bc1ceb0a34872c8660269fd2bac50e53012533484b6190e1dccafd7821153f5224

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
232KB

MD5
8ac49c526be9fc20ac7c3ab3479ad05a

SHA1
f27f3818eeb7f21b74922f2fcd88ad277bdbd0d0

SHA256
9e0a20d8f8af132234e90aeaab3a79984e6cda56929cd4acc4ef72ed2d2783dd

SHA512
3c9ec06eab7677c2a8b30fa585a6120fd171d1f55db4a5f75ee2f652cf380375ce44f47306dbfb734cda174c5b1cf022c07ecb923d5b228a1ada6f2da4590fea

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
232KB

MD5
9ffa1237cd08e5a4e4fd71bc24d55523

SHA1
b8765cc6bbeac91749abcc51d7087a52a3d52384

SHA256
3e6eb8bf748edf0d86b7c0ede4e21ac4d6e32de7b885b80878fecaf4b9664e8b

SHA512
482bbd20d18b23863bba1298d3fb540323d605f9cba24300982188d55bd7250dff73809f520753e624fca84d9e89e2788f93737c41292d703bacf327f20f806f

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
232KB

MD5
670bc731e87dcf72f6c3034d4fb7d139

SHA1
0b11c030cfde9c2fca8c92f03ded357896d95361

SHA256
51777d8d6af46d3f98e80f4ab9c890b6d4fc7b13681c82a769d8d855d9b97ee9

SHA512
80e30c022f97467c19439531a0f0af510095418a9314800b43ffb131245670c0ec62bb63f5b7212025609ea6187eaf847458ec85b242deed7d2e437054e008a1

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
232KB

MD5
9111b9558773fc7b0040e4020aebba85

SHA1
38462485d76b337d72211b90e583db6a8074f3f5

SHA256
0f0bb46f73ca5398107b4b4961c780a298baea405830027fa7290d725704a7d4

SHA512
6a125a5ee5aa7ccd1590bde955da3c0868df516e3b0bdd37880820672cd6d4b2ecd818a90fbab05899dd62fd42230cbb17317d8894d3b98d29f247d922f5c0c3

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
232KB

MD5
373b7865de39c2c2f9ea289c8ef75cd4

SHA1
7c3f06c3d00b482efd47f729405a3e903ac46cfe

SHA256
2417d733362ccaaa5158d74abaffeb3200d199582bb1c861ac5a8b521b19902e

SHA512
721fa5751224c7cd76eff27e0ec87dc8a32cd2fb1afe70331a3f54beb551ea49a88a15e23eebb892d05d83bf0a6f9306987cb2561eceb5c3d03f517c83ed5fdd

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
232KB

MD5
b525c82edacb59644331dd4a820641a8

SHA1
4244dd87848f6d77bba9b292abc466cb5205c923

SHA256
e231fd16a50489b74e6010fbb0580b3b27095393f2e8fa4311abc7fb4f79d91c

SHA512
21a8e31d0cd5e4e37c02d2dc2a1dd6f0780be1b69c22c1d1df793be569dcad35dee31340d0c1c5441e5693ead25fd189103d4a291a49bc48714e75d3bf3d545a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
232KB

MD5
8faf9798bf45819f9154750764ff2156

SHA1
9857eb298fa640e114baba141ba58e9e21d03044

SHA256
b90e393a34e49b39d245ab30174b9525785e9cbd05133c525b3abc5bde06c19a

SHA512
79c0d7d29d869a7f335f13719a328c6da850cb4b89609cff5204abf505bf5fa43a72b4f0b87a6d545b50c3626f72ba25c5742d59a7d46c64d676c45b742df764

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
232KB

MD5
9c8ed79c2a917ef5e10c82e80bf8f528

SHA1
69eec3c8a8ca38da8be141f6f506007231ed3040

SHA256
2127b485a25303c995c9ec78df769a9ac8fbbf46df586fe8a2f57739114a45e5

SHA512
e70f9fe71add01856818d463d5689ec11433d90605153ddfc28468838ca4184fbe0a55ce2a9b1c142e9469cb4e85c370edc0a63a0b79051230a5d7515edcb236

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
232KB

MD5
d29ce9175ec895b925adbff8d490cab1

SHA1
6d7822033fb8a2b7d07c989262640ea4d339777d

SHA256
1ce08f46916cb79b786a3964d30af3e0493864c0dfaef86fae62fa35c1f716b1

SHA512
b3f09e5f9126dd825db381f2596aeaeaca954d997b60557858eec8891691a357b3dd35244c611a02e65b2bb5e6de98f9ead318a84c0ceb37438b72e94f897681

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
232KB

MD5
9e429ad01e0024134008d3193fc21230

SHA1
de4c8a7e3ee7752934dd63f7581606e77c7ff045

SHA256
600075fdabfecdcff9e7d86aafde36e98709bd0ccdbcb37eb46e928f4dd0c7b3

SHA512
e9cfa640667a8bc16040f5c4e514bb0219a151794f9550cc13db7f85e5cb585941e2f24e1ef201fd729c1e89f3864a6ed6bb30e6cde8f35d1aa643f777478021

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
232KB

MD5
7158f182efd0393bd6063bd8c43c1075

SHA1
f909eedd4baec7dd1f5f13cd18bd5b9bd1fb142a

SHA256
78af8a932fef0385b2fd20acf8f3a2834e022a87c2bfb69f5994059ea9a5b2f8

SHA512
d95fa5beea5089805a3b9188ffabaf239d94b5ed3cf6f457cfba6718f5ab5125c93a9a31ec6b7445db8666a2a9897c6a06ef0807dc3afa5ca26832cc42c2d1bc

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
232KB

MD5
91e6036c990e86ead1315da11134c9ef

SHA1
39e29cbef148cbeef87c9f6f5ce4292e9da7cdd0

SHA256
79df5ec2922e66b4004ccc63b7317939e560df34e259047983048d5ee64e040b

SHA512
6caf42e68e671ed828032637f0c95226d29eff8a515842661740723dd7998a81de5de8621cef9ce780c5b5b5711498cbed39e12c2dbcf3a6031c030cb00c62ec

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
232KB

MD5
64862e527d3ee7befa515cf3d35402d7

SHA1
d920776b03d95072158de6e8c89df8f8d294187a

SHA256
0136771accd746723b63420f3d0db3b4dc1d154a054726b1c62bea0ad0236dfc

SHA512
183e2c98bd0755deddbd4ba83edf4de8a1833f2e3fe43a47935227322764566d386dafe50f1b3a6aa74299ecd224eb43a9b15c5b492f5517c230e805a9c3d5d3

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
232KB

MD5
5628890d844df09f15159e0526559b0d

SHA1
414073d6b911fe2b4a09aae88f807211b167d9fd

SHA256
57bda274fa82f9b9068f4cf5922a60e0d2bb4db66ff3fc0608b4fcaf53bc3043

SHA512
2124049c2d6189ec19ad5ad3b0dab5df9d7aba5e6c0e929a7bbc7dceab684d1f5d91a57d4a0a6038ee8234d9ea45a7f0a062a3eb8f69e53148177830c96afc15

Download Submit
memory/376-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1004-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1288-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-620-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-613-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4100-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-683-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download