berbew | fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe
Size

96KB
MD5

e6c7e893f0c6a6c1db90b30cb536a44f
SHA1

543565b4b2ce6be41624d464bb82532312f5d5d7
SHA256

fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764
SHA512

cce7eb63b3050393175efd5d0d3ed4af09d172b97791018624117304a0ab916ccf7665d2fc5132786b52ebf5131ccd53c5a2fed6f2e02999657d581629b830c4
SSDEEP

3072:ATGCOLiZ2e/PsVCX0wQHsy6dsfanClUUWaef:Tf6GynCWUc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dfiafg32.exefdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exeAqppkd32.exeBcebhoii.exeBffkij32.exeChagok32.exeDdjejl32.exeDddhpjof.exeBmemac32.exeCeqnmpfo.exeCjpckf32.exeCndikf32.exePqbdjfln.exeBnmcjg32.exeDhhnpjmh.exeDhmgki32.exeDogogcpo.exeCnicfe32.exeDopigd32.exeDknpmdfc.exeQnhahj32.exeQqfmde32.exeDhkjej32.exeQgcbgo32.exeAjhddjfn.exeAdgbpc32.exeBnpppgdj.exePmdkch32.exePjjhbl32.exeCmnpgb32.exeCmqmma32.exeAeiofcji.exeBanllbdn.exeDhocqigp.exePdkcde32.exePgioqq32.exeBagflcje.exeBjokdipf.exeChmndlge.exeQddfkd32.exeBnhjohkb.exeBeglgani.exeCnnlaehj.exeDejacond.exeAcjclpcf.exeAglemn32.exeAgoabn32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Pjeoglgc.exePmdkch32.exePdkcde32.exePgioqq32.exePncgmkmj.exePqbdjfln.exePgllfp32.exePjjhbl32.exePqdqof32.exePgnilpah.exeQnhahj32.exeQqfmde32.exeQgqeappe.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAdgbpc32.exeAcjclpcf.exeAfhohlbj.exeAmbgef32.exeAeiofcji.exeAfjlnk32.exeAqppkd32.exeAgjhgngj.exeAjhddjfn.exeAabmqd32.exeAglemn32.exeAjkaii32.exeAminee32.exeAepefb32.exeAgoabn32.exeBfabnjjp.exeBnhjohkb.exeBagflcje.exeBcebhoii.exeBganhm32.exeBjokdipf.exeBaicac32.exeBffkij32.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBmemac32.exeBcoenmao.exeCndikf32.exeChmndlge.exeCmiflbel.exeCeqnmpfo.exeCfbkeh32.exeCnicfe32.exeCagobalc.exeChagok32.exeCjpckf32.exeCmnpgb32.exeCnnlaehj.exeCmqmma32.exeDdjejl32.exeDfiafg32.exeDopigd32.exeDejacond.exe

pid	Process
3196	Pjeoglgc.exe
960	Pmdkch32.exe
4536	Pdkcde32.exe
1660	Pgioqq32.exe
1000	Pncgmkmj.exe
4236	Pqbdjfln.exe
912	Pgllfp32.exe
4872	Pjjhbl32.exe
4964	Pqdqof32.exe
1440	Pgnilpah.exe
3056	Qnhahj32.exe
2268	Qqfmde32.exe
2828	Qgqeappe.exe
3248	Qjoankoi.exe
216	Qddfkd32.exe
3272	Qgcbgo32.exe
4604	Anmjcieo.exe
2884	Adgbpc32.exe
3852	Acjclpcf.exe
760	Afhohlbj.exe
2652	Ambgef32.exe
436	Aeiofcji.exe
1372	Afjlnk32.exe
3408	Aqppkd32.exe
4512	Agjhgngj.exe
4620	Ajhddjfn.exe
1752	Aabmqd32.exe
1388	Aglemn32.exe
3208	Ajkaii32.exe
3796	Aminee32.exe
4216	Aepefb32.exe
1728	Agoabn32.exe
4288	Bfabnjjp.exe
3468	Bnhjohkb.exe
3932	Bagflcje.exe
3296	Bcebhoii.exe
1424	Bganhm32.exe
2524	Bjokdipf.exe
4012	Baicac32.exe
1552	Bffkij32.exe
4360	Bnmcjg32.exe
2328	Beglgani.exe
1904	Bgehcmmm.exe
4144	Bnpppgdj.exe
4540	Banllbdn.exe
1936	Bhhdil32.exe
1148	Bmemac32.exe
2000	Bcoenmao.exe
2500	Cndikf32.exe
1412	Chmndlge.exe
4912	Cmiflbel.exe
4068	Ceqnmpfo.exe
4008	Cfbkeh32.exe
3832	Cnicfe32.exe
3888	Cagobalc.exe
1420	Chagok32.exe
3936	Cjpckf32.exe
1348	Cmnpgb32.exe
4452	Cnnlaehj.exe
4296	Cmqmma32.exe
2464	Ddjejl32.exe
1284	Dfiafg32.exe
2928	Dopigd32.exe
2608	Dejacond.exe

Drops file in System32 directory 64 IoCs

Processes:

Cjpckf32.exeCeqnmpfo.exeQddfkd32.exeAminee32.exeDddhpjof.exePjeoglgc.exeAgjhgngj.exeBgehcmmm.exeCnicfe32.exeDfiafg32.exeDobfld32.exeQqfmde32.exeCagobalc.exeAepefb32.exeBeglgani.exeDhhnpjmh.exeDhocqigp.exeDknpmdfc.exePjjhbl32.exeAfhohlbj.exeBagflcje.exeBcebhoii.exeBnpppgdj.exeCndikf32.exePgnilpah.exeAabmqd32.exeBfabnjjp.exeBmemac32.exeAnmjcieo.exeAjhddjfn.exeBnmcjg32.exefdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exeAfjlnk32.exeChmndlge.exePdkcde32.exeCmnpgb32.exeDogogcpo.exeDmgbnq32.exeAgoabn32.exePgllfp32.exeAglemn32.exeBffkij32.exeDhkjej32.exeChagok32.exeDaqbip32.exePgioqq32.exeAqppkd32.exeBnhjohkb.exePmdkch32.exeQgqeappe.exeDdjejl32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4956	4160	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Qgcbgo32.exeAcjclpcf.exeAjhddjfn.exeCmqmma32.exefdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exePgllfp32.exePqdqof32.exeAnmjcieo.exeAfhohlbj.exeBnhjohkb.exeChmndlge.exeCnicfe32.exePgioqq32.exeDddhpjof.exeBgehcmmm.exeBmemac32.exeDkifae32.exeAminee32.exeQjoankoi.exeAqppkd32.exeBffkij32.exeCjpckf32.exeQnhahj32.exeBnpppgdj.exeAgjhgngj.exeAgoabn32.exeBcebhoii.exeBhhdil32.exeCagobalc.exeDhkjej32.exeDmgbnq32.exeAeiofcji.exeDmllipeg.exeDhocqigp.exeBaicac32.exeBnmcjg32.exeCnnlaehj.exeDdakjkqi.exeQddfkd32.exeAglemn32.exeBfabnjjp.exeDhhnpjmh.exeDaekdooc.exePjeoglgc.exePqbdjfln.exeAmbgef32.exeDobfld32.exeDhmgki32.exePdkcde32.exeQgqeappe.exeAabmqd32.exeBagflcje.exeDogogcpo.exePgnilpah.exeAepefb32.exeBjokdipf.exeChagok32.exeDejacond.exeAfjlnk32.exeBanllbdn.exeBcoenmao.exeDknpmdfc.exePjjhbl32.exeCfbkeh32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe

Modifies registry class 64 IoCs

Processes:

Ambgef32.exeDopigd32.exeDobfld32.exeDmgbnq32.exeBganhm32.exeDhocqigp.exeAfjlnk32.exeAgoabn32.exeChmndlge.exeCfbkeh32.exeAabmqd32.exeBjokdipf.exeBcoenmao.exeDdjejl32.exeAepefb32.exeBagflcje.exeCnicfe32.exeCjpckf32.exeBaicac32.exeCndikf32.exeCmqmma32.exeQjoankoi.exeDddhpjof.exeQqfmde32.exeBgehcmmm.exeDaekdooc.exePqdqof32.exeAfhohlbj.exeDaqbip32.exeDhmgki32.exePjjhbl32.exeAcjclpcf.exeAqppkd32.exeBeglgani.exeBhhdil32.exeCmiflbel.exeDejacond.exePjeoglgc.exeCnnlaehj.exeQgcbgo32.exeDkifae32.exeAeiofcji.exeBnpppgdj.exeDhhnpjmh.exeBnhjohkb.exeDhkjej32.exePgllfp32.exeDknpmdfc.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exePjeoglgc.exePmdkch32.exePdkcde32.exePgioqq32.exePncgmkmj.exePqbdjfln.exePgllfp32.exePjjhbl32.exePqdqof32.exePgnilpah.exeQnhahj32.exeQqfmde32.exeQgqeappe.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAdgbpc32.exeAcjclpcf.exeAfhohlbj.exeAmbgef32.exe

description	pid	Process	procid_target
PID 3168 wrote to memory of 3196	3168	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe	83
PID 3168 wrote to memory of 3196	3168	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe	83
PID 3168 wrote to memory of 3196	3168	fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe	83
PID 3196 wrote to memory of 960	3196	Pjeoglgc.exe	84
PID 3196 wrote to memory of 960	3196	Pjeoglgc.exe	84
PID 3196 wrote to memory of 960	3196	Pjeoglgc.exe	84
PID 960 wrote to memory of 4536	960	Pmdkch32.exe	85
PID 960 wrote to memory of 4536	960	Pmdkch32.exe	85
PID 960 wrote to memory of 4536	960	Pmdkch32.exe	85
PID 4536 wrote to memory of 1660	4536	Pdkcde32.exe	86
PID 4536 wrote to memory of 1660	4536	Pdkcde32.exe	86
PID 4536 wrote to memory of 1660	4536	Pdkcde32.exe	86
PID 1660 wrote to memory of 1000	1660	Pgioqq32.exe	87
PID 1660 wrote to memory of 1000	1660	Pgioqq32.exe	87
PID 1660 wrote to memory of 1000	1660	Pgioqq32.exe	87
PID 1000 wrote to memory of 4236	1000	Pncgmkmj.exe	88
PID 1000 wrote to memory of 4236	1000	Pncgmkmj.exe	88
PID 1000 wrote to memory of 4236	1000	Pncgmkmj.exe	88
PID 4236 wrote to memory of 912	4236	Pqbdjfln.exe	89
PID 4236 wrote to memory of 912	4236	Pqbdjfln.exe	89
PID 4236 wrote to memory of 912	4236	Pqbdjfln.exe	89
PID 912 wrote to memory of 4872	912	Pgllfp32.exe	90
PID 912 wrote to memory of 4872	912	Pgllfp32.exe	90
PID 912 wrote to memory of 4872	912	Pgllfp32.exe	90
PID 4872 wrote to memory of 4964	4872	Pjjhbl32.exe	91
PID 4872 wrote to memory of 4964	4872	Pjjhbl32.exe	91
PID 4872 wrote to memory of 4964	4872	Pjjhbl32.exe	91
PID 4964 wrote to memory of 1440	4964	Pqdqof32.exe	92
PID 4964 wrote to memory of 1440	4964	Pqdqof32.exe	92
PID 4964 wrote to memory of 1440	4964	Pqdqof32.exe	92
PID 1440 wrote to memory of 3056	1440	Pgnilpah.exe	93
PID 1440 wrote to memory of 3056	1440	Pgnilpah.exe	93
PID 1440 wrote to memory of 3056	1440	Pgnilpah.exe	93
PID 3056 wrote to memory of 2268	3056	Qnhahj32.exe	94
PID 3056 wrote to memory of 2268	3056	Qnhahj32.exe	94
PID 3056 wrote to memory of 2268	3056	Qnhahj32.exe	94
PID 2268 wrote to memory of 2828	2268	Qqfmde32.exe	95
PID 2268 wrote to memory of 2828	2268	Qqfmde32.exe	95
PID 2268 wrote to memory of 2828	2268	Qqfmde32.exe	95
PID 2828 wrote to memory of 3248	2828	Qgqeappe.exe	96
PID 2828 wrote to memory of 3248	2828	Qgqeappe.exe	96
PID 2828 wrote to memory of 3248	2828	Qgqeappe.exe	96
PID 3248 wrote to memory of 216	3248	Qjoankoi.exe	97
PID 3248 wrote to memory of 216	3248	Qjoankoi.exe	97
PID 3248 wrote to memory of 216	3248	Qjoankoi.exe	97
PID 216 wrote to memory of 3272	216	Qddfkd32.exe	98
PID 216 wrote to memory of 3272	216	Qddfkd32.exe	98
PID 216 wrote to memory of 3272	216	Qddfkd32.exe	98
PID 3272 wrote to memory of 4604	3272	Qgcbgo32.exe	99
PID 3272 wrote to memory of 4604	3272	Qgcbgo32.exe	99
PID 3272 wrote to memory of 4604	3272	Qgcbgo32.exe	99
PID 4604 wrote to memory of 2884	4604	Anmjcieo.exe	100
PID 4604 wrote to memory of 2884	4604	Anmjcieo.exe	100
PID 4604 wrote to memory of 2884	4604	Anmjcieo.exe	100
PID 2884 wrote to memory of 3852	2884	Adgbpc32.exe	101
PID 2884 wrote to memory of 3852	2884	Adgbpc32.exe	101
PID 2884 wrote to memory of 3852	2884	Adgbpc32.exe	101
PID 3852 wrote to memory of 760	3852	Acjclpcf.exe	102
PID 3852 wrote to memory of 760	3852	Acjclpcf.exe	102
PID 3852 wrote to memory of 760	3852	Acjclpcf.exe	102
PID 760 wrote to memory of 2652	760	Afhohlbj.exe	103
PID 760 wrote to memory of 2652	760	Afhohlbj.exe	103
PID 760 wrote to memory of 2652	760	Afhohlbj.exe	103
PID 2652 wrote to memory of 436	2652	Ambgef32.exe	104

C:\Users\Admin\AppData\Local\Temp\fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe
"C:\Users\Admin\AppData\Local\Temp\fdebed4a4f8df3f7f97c9c32df50192504a41e004eff512784cd9bf4d4f1b764.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\Pjeoglgc.exe
  C:\Windows\system32\Pjeoglgc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\Pmdkch32.exe
    C:\Windows\system32\Pmdkch32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\Pdkcde32.exe
      C:\Windows\system32\Pdkcde32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        30⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 396
        80⤵
        Program crash
        
        PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4160 -ip 4160
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
43be8f9c8614c295d69631f6e486ca0c

SHA1
31fe2fd84f33c0f894c7771c418de92360462647

SHA256
a6f95293c26b91dbcd0105bcf284c1510382b1823bb1e8806b763ef2702eee64

SHA512
dfd4077172367481d3abd2d41dea815419fb0c896213fa7d4cf8d02be837d838371aa6f5f811246b651fa59acaa096fce8e0bafa42f6c6314faed24c2a651cd4

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
662ca1893c78926c07bfe4dfa1eb8020

SHA1
9d500b37d4b1ce1261a0db65d9afd24db2b549b1

SHA256
ce9bbbbb818836854172f7dd5068be7b59b900e7dc13f72fb326811440f3b71e

SHA512
498a59c812c952bfa74beeb7c77011439886b285d46a3340c5391328019c6350da097fd2d757bf8b352fe13edfe0dc3a18cd856121b6fa3d5bbefbe1a481ef4b

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
136ac84c6b201e54a8afacd95e0ac002

SHA1
4d729d64f8b7047ee19bd07fa8bcefc99c5f5410

SHA256
5c0ea6a2b3d4eca22bb6a8054801f06cfa6409a6b2fc274a17a8ee1954b16871

SHA512
8f118ec594b4e18ec2608180f33eea8e3958bc5a4ae3c62e3f613338a33e7115634a0c8b19b4cbefe05f8130959873c4f3f0f7f30c818663351a26b840eb7849

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
bdb9b0f799bad9356d09db4365ad2460

SHA1
aa3d204b8d143bfb5c20dc586ea65e2725a5da58

SHA256
efa58daa941b3e1a1e8fe76fdb010e07789ba6594e4fd036b98298bd16432a87

SHA512
139cd961cb86ac3e3b5a071b0506aba49c6e1e7d07fd5d829454ede89fea93b1d369baadd65477f6cb5afb8204073d064d59675b8e39721eb1c6482dfcf5b60c

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
7b2e5a5e8ea25a57e29de297fbae4f23

SHA1
61192d32dcc0fb3aef0dda1add17385107b11f3f

SHA256
8098fe173e20bbf82689c2055ced83663799224906f4482d3ec6ac84276f5824

SHA512
65983db1f512f9091f8da6f8834873413943c11a361ae77ade6f6e856adb2eb838aaca9066440f0b7e55acff988bf3e816a6bec054f66a622013417eb2bf85db

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
6188c565c8c9e1f05a73cb41b430b2f8

SHA1
4dc91e2c7cdaf5de1ed0768d0a794c278f25836a

SHA256
1ff543dc6bcf63b844b5c6b6c2ab5729bca48315db90986f1229bf48f23c1aa7

SHA512
674b1f01c5f13962039974d67539d2486e8cd56b988591de84857819a87cd7db9eeb6626b4fb6457b3406b32d37460bc828d63404a859911ad7d1ed27fc5b6a3

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
1ca9b4bb2e98ca392695f21ff6d7f345

SHA1
be254fc8d484072e77360e5969c26f383d08f9ff

SHA256
f65a63082fab339373d8695b6b2ccfba5b821e384f9de79ee749ebf1496a41a3

SHA512
73cc6870245b9d894f41a8a2ec2f271eb71f198780b17908a0c35f42e7cb38e2b7c709af300cfc3c6539ad8579be5576c122a49ee4775f22aa4c23ebb1540800

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
96KB

MD5
484781921dfdf9ce9520ddaad9aced45

SHA1
bb8fa603d83489b764074bf620a46fc154c2fd7f

SHA256
6ae203fb38abc4572019a8e4a581b3d339bcf13a5df390642140efad24026007

SHA512
a3cd3fbfaa06ec2f5cdcd972747d5146b1d820222fddf86c9e55072c40ec23c36f3fb09d06cd9c80e7662c01c2a3060d51b3f5049aee331f420f0caa5b9b59d5

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
b4997c1d1d086d091993fec83015b78a

SHA1
13d50e04e617d51bf313690e1ad5c831ded759ab

SHA256
2fc8e7dba72aefcecf462fab287f7f1c87f904cb44f9c5379d04a31f11a8d219

SHA512
421e27eb5ae07cfb1b8b39bee3d9dac51547aad71a709f6e5b3c017c74c973c42df4392072d4b8ee613b81889f081b1bc7cc4cdd0eb2ebeb4d8bb8bf93455f21

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
645b35528b0916100b1c6e5b8531b4d8

SHA1
28b6c55e5f6526250c5ebd515710735e3582c0ac

SHA256
9e3d83a136a516e5cad06a1ed57a52f1b64fb688fd84955e3d252a7afc4a2e8e

SHA512
d30ec0eda75ea5b9469b2612f80f9e44a3a703a95afd5479039859664fa456496bb30873fdc87680f34a26340d7f18c48118c1cb3b2069532eb39ca72a1a4f09

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
b299b061d920c90f2721c26fed5347e4

SHA1
8f5f8d7711faf123f2745d31871295663893eaa0

SHA256
1c0350200a3ea347fe9c2edbe823f18eca98ac76a22c30a8563c473ec0130f75

SHA512
f418c31a786937193e4324a99f8add7b68024aa07502383091f181c67e24213bbb37492e5e9c00de3805a55122f1def14cee315ae63269a2ca2564a0a9e3e04a

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
52ec80370458b5f3d29b642273caee15

SHA1
2953a4e4da369f6ea2df85eef538a28e35cca6b3

SHA256
98f79028f479f8eea9d5977059aee5757b8e98724179b3831bd9616f6ac17643

SHA512
cedbc6a944836d2e08ed172459e1139d481c76af518399b9c35c6ebb843de53f89c8c19717d0ffde81713945566398164504e5ef5770e0034fc8a0e9473e5c84

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
7e1fc943eedf1066dfc49b91518355bd

SHA1
afef28f59935f5263b535d7e89011c1a669d2f67

SHA256
1643a90f2aaec645cf59f299fde51da7049e490bc5f0f631f70985d4ce04f11b

SHA512
8da0464772170a2e62e987941f190c6fb45beb4dd1363ae1ed9cda703c2a48fabde7d29b87b3929285d66c39ddbee51601358971be4b20e28ba311d3b21f0983

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
beac5ff27fcb1ed030abbddf6f528304

SHA1
a43852ae934c4347a82be3a85f939980e2d2ff16

SHA256
8f350b666537622cc54c82672960768350749c1ef07fb64c10731b27114fad78

SHA512
7b6f8e601ff660a0d1c665751665174c2e0628ebacf7d6a34bc7eb9672e6c48271e3b2f68198229fd2c531e7a25ec08338d5fac4d0b7be4135217af47905e9dc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
d5abf2abdfba9fde64577a45251947dd

SHA1
33c237899763bc9111eaa729686dda6da227da90

SHA256
3d3eae02cf80e4ae945f349be8efcb85620ddca456c03f16e8fafdde11f865f8

SHA512
9e7f6510bebf0afd597aa0392d92d150cbba1d23ccb7f8c6b62a3e3d441b55ab9f9485a480382b478deda300864badd401ee44685e61795f7285efe288c5708e

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
27345095e809b16d6888ad0bbf5246dc

SHA1
b311860e49c8382de5791d48724b64dd002a15f8

SHA256
e9666addbfb6c776283bc45097921f298c3336a1e387ff988cafb38ba0f42b1b

SHA512
daf959388cbc999c016318a5dbe4f8f6ad1d73df88bd7ab2b353da447a52177afcab1a88d96fb4ba473326616184fc6102f6728bb3f793c577e944464c489d02

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
dca66dae9b9ccbf835d92a6d8cd38264

SHA1
479c0deb83a9162cdfb8813a44fec69ccff86119

SHA256
02be4d0790ed6f2074cba221cc9aa52a2a94e6c598b6a507e6b23fd91edeae3a

SHA512
9ab6b1271e4c0b08d90184a29cc43855264df21fb38056404839b724210159e49b4757d0b8cc6bf140bf02b9e5f66895a07b626294ff5f607a626d99956a29b8

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
a129eab3f51563208445bf25d5528d88

SHA1
69b2ea919911d00caf6b57b9df487f2d435a3a55

SHA256
514cd42f9b985ebb41ccad0daa33f7b2e5026b8816fe2896b49316ea483f5c58

SHA512
063adeba117974a15896ee6579baa4de42490df648966de344d35355d9ce63f9e60b6d34916044793f09de8259108401acadac8e1613d110aa1d1f34f80c98b3

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
73f064dcdd220c63f172e05b25aa343c

SHA1
01b0af410f9685623dc2a4811d6c67bfaf9bf26b

SHA256
ae6c388b886a9cb41e6f60d03ea417fb2790a4cbc2d30004c9251c8ade9b809f

SHA512
7e10786885ce46ed8cc6bfa1cdedd74fa390ca36f5bf9a8bc129e682a9cdcc9086f7dafd18b692ed5b3e32b42a15a2a346bcc81c8daefd8a8afb801ce8d5c5e9

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
cd300cb7ba568c9d11362aaec7fa5cc3

SHA1
d94e104043bfc84a87dee87ed2d2793348a30796

SHA256
ce35f56a5dff5229a185d8d94fa2a9b6c68b3b884cc8f681292d2c94804baf77

SHA512
f2409505b37e1dab4f31bbf9ffdd796e1a3513aa7c322aa0edabf73e99977e289e82396758354bea959888e12c59c812479d875bb011fd08b830d174f9d1ead7

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
572b71f4f25a7040dac586f3208b7bd3

SHA1
60fe45e5021cad3d1a9352f545454d92c759c4d8

SHA256
7b4640d5de823fc1c1fd27e6d2eea4e4fefd5f61bee41066bad4bf77892bd8c6

SHA512
aba816b2f7ed5b5be378b0d3bfc9fbcd2c952fcbeb7ea5d2b2c6a6cac564a8854efc30f74ad4456ce732ee8ad65fecd76bccec43d73389008992b2889441b8bb

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
d5de58ea1c12cd3e22bccb97fa53a499

SHA1
e6efbc51485dd5cbbf4db2430d975ec2a984d83e

SHA256
09401870a41fc6bbec975b75cd8b54dd365324cd55d2828667a4131339560937

SHA512
7e9a47d085c36d486e2b84093db9a098b9cd04d1ee161ea821293c29ac049dd24ad011760fb03abe8174c994abb7d1e0ede6608203e5e84558aa2c3a5053cf7c

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
b3aaf7b8affb3e788d932628ba536082

SHA1
25689e96481239149c9c6a2a70b87fc171ecc849

SHA256
c2e97d8725b080241e23b8866f4c1f2cb600a4759441c36b4b5cf5082e7c7e88

SHA512
11cf63871ec8f9d85ea173759bfd681b8ef3c747c285b82a7219b32430212db80cc82b43c963b8621c436914c693cab70f5219db037fe0c3e7cce916c1c41253

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
2ab1014da1de236930be2d9073c59489

SHA1
ca82e6e4b1367180229e114bfd41c3b84ee2de91

SHA256
2ee083ccd51739037f5b19ee6aa23fb25ce201c60d8521157666919cb38b4a28

SHA512
eeda8a650b277cfabab83b976049d38424f12bab19d37a06f40f43198a7841490346f12f504c524556a922093201f510969e99c192b07573183fea402b7adeae

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
65ae37380ed93795d4af14c152f79404

SHA1
a09e3c10664183c2979afc849249c39025c07fd9

SHA256
556f16766d06f9eda53354ac51f1db826037c57bcf59749b620fbfd9413133e6

SHA512
dee1b6523667e7e1029fd246c528d2b4c9bbb48f263739d39e9d27fcdf52b7da5c54b31acc97c94832f3caa72331fdc503ea96da79a0924374d7d02adc8cdcaf

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
2b535344b4d297b7cc2d43bad68952f0

SHA1
72bf7bfb8b6f8d27d7c944806da510eaa3cd0970

SHA256
eb97dc63f693e0ecd38ad141b4719fb8230c12eadfa1f6c66771f55d08edae2e

SHA512
393e8f3aa3f760e24f63f731cb9f33029af8570b3680e9800c4f16528255743694b5c10da9be10c821dc3e3a85a00653fe842420f50a67f149331a0575ffff7f

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
f4ef183e1e83b0094380e26d97071155

SHA1
dd344fed93d4cd4cca6b85e500f65446304c3b97

SHA256
722030a8a0d94b318e8cc04c213bbd927d02a24027e7ee00d665aee491d2f513

SHA512
2200c82a4b077475d6c4e1d80c22f4bb4de2269884ff31701c0f7ec361efaee7600f43999b0677a1c433f8353bd507a6c9b4c1b9caf70b557d0afbed285ce257

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
ac09dd37f1629b82f2a5bdb832556a5c

SHA1
10addb1e2267d0257ae218d8ffcfbf750b6a17b9

SHA256
724c99834288749e8841d9b423ee469a4abbda062c8e9bb46000c086adb08af9

SHA512
013cce6853f3c0d3f354ce45f4f10fd8c69d3540946b2bd64944db91e93a3fd45d18f9ed40a6ac8df1609c38968099917391f5f5ceeaa4e1d5033079e1aa48ea

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
96KB

MD5
767f700c691adcd087286f84230277a1

SHA1
6c0e6f50e4d748149de9f1ca009a5b7a53bc04e4

SHA256
ee4730130192cbe2de3bdbe0ad854f82377be893c847aacf67cd4d03ddd67780

SHA512
e388413b4028001f17b38467c947d43ce56311c86d962d4ae2e340c70cc10a631b845e172fe840e8eabaa6b7d0a58d307c2b9672ad752bb0bdf8c60723ba28f1

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
fe2bc4b9032fffe432e949ee486a9ce9

SHA1
63f7f7bf8d158c2444e919492a179f1c1f7b1fcb

SHA256
193a8aab92ab7d732930aa252fb1a0d570ed62fd4ba542ccf108ad21264220d4

SHA512
b159d046a790668f204f58c4aec3c6c4f24f2c3232595e603677177e091cc9e18e14c5339e14c75bc888604b44f5f09a1d160ea66e414f26658ba639553a58b5

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
cfe02e9c9f7aa9e6b2f0918d84602d65

SHA1
39f3ed7bf1d2f7a6e55941731173850ee6c8d63a

SHA256
53d5760a068d1cee1ff5b62bf8214c0ff01a0af02efe8dd0b3ac9dcf5aae8fc3

SHA512
02fbdffbebb233aa04958ede0b15c7473eff8d21c17cf010d9f8610138c5baef87260058409e5612e1f1c9dbeef7a323df7713ec8dd51eb310643714f5c70cdc

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
34e3a17828f82d4896b660cfb29a6eed

SHA1
7dc0beaab0de58edbb5524eeac3375a342e21712

SHA256
b5a58ad40b474ebf650b9126eabdf5ee6c8c58ba7d13fbf33b4b54773593c13e

SHA512
c66e9c95667ae7ee5b89835862c6877e4c61e6253af20d0d067fca3d3ae5f65b3a97aadf657aa4b69846ee1416294143561a027eb96ff09868ccbb63c4926c71

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
6776989abf946fdfe2234898f3f6dbdf

SHA1
7d772979877c0b42034e3824790ebb16cc27e60e

SHA256
867f7df7b2b0dc72a90af77309206ed73e13524aebf6a0a5c55cc2737a845af8

SHA512
12430658c778d3050237a177980fa93202237d80b59f67cc948d92a01284b69c1d93a4e965d8116b8e15b752ee6dc9ca41c62f1f0a6d639bf65dd0a3458be7fa

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
53682b0b62cceea7e663b3b29685a8af

SHA1
2364993ea004780dc92e328b765af6413b66f6ed

SHA256
bbfcca291a86306f15d4c6fc5102a65a71a0fb0653349b431f174b14e4c3c93f

SHA512
cd39ec1c70c9459fea85827a43edacef4da04dd0c3e0c1fc6c155f91f8902f8945f75460f8bfb85efe02a9b257d655bf4366ae07be3b26ca6ba527635d581a51

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
8390262f9ebda725f1f7997ee2232370

SHA1
afbca732917e0db49c04844d6ddc4259983f7819

SHA256
25a15aa556fb9fb5d5f5367a300c4aa680adb862e60776ae60aafe8cb6095b0e

SHA512
2d96e4117395736eb41b49ecd136ebd7c83cfdb9b2287040bf0bb6493f97980cf23fff99e62d4fff743c6c665f538972edff086fd6514704ae958f2ffd25642a

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
d573932b0a5dbb501a7bdc9965f6fe58

SHA1
af056971f73ecae6d311441bcd93d118429a8d10

SHA256
be4e50f2178a9c8e016476525fe5200a568c0729a30addf8a9464f0690992062

SHA512
91b9759e13c531df0666b274945fa17331b6bc3990b5c6d05237b56dd2e41e6487ad88bf6d1be3c21eb01f21cb1221f1b7417e507394b51b37323561b0edd307

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
33382ebb2425bf63ea8d75d392f61bd6

SHA1
c550de9b807b958f24c2431420202f4ba7006687

SHA256
8f101411bc48a3149ae9ac9108e4d8d695b837a4637b2e47f5fc3c652c9d8eab

SHA512
92497d112e8e36031e5d5555dee91b0743c1edb95ee79d984cbcc2ffc7946a2fc0807874d7f956fbab84c083e91ae6c815f3691fa11800989ca27718a0413f92

Download Submit
memory/216-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3196-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download