berbew | 1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
Size

384KB
MD5

dbfebcd0fc0a8c728b691f23f8907080
SHA1

08a6437d3d82264ab975828909034957bafcb6ec
SHA256

1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5
SHA512

7d5016b28de1e04b5b0d3645032e39a99b08eecc19c6aada5563b0d5e5186accc50f9cefdeb15a57f17f257ecfbea32c295d910bbe2952142f227dee61497f86
SSDEEP

6144:jjG7Xhvv8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:jjmXh387g7/VycgE82

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dmefhako.exeDdonekbl.exeCjpckf32.exeCajlhqjp.exeBebblb32.exeCmlcbbcj.exeDaconoae.exePjjhbl32.exeQddfkd32.exeBapiabak.exeCfpnph32.exeChagok32.exePqpgdfnp.exeAglemn32.exeBhhdil32.exeAnmjcieo.exeAepefb32.exeQjoankoi.exeBcoenmao.exeCndikf32.exeDjdmffnn.exePclgkb32.exeQceiaa32.exeBnpppgdj.exePfjcgn32.exeAeniabfd.exeDodbbdbb.exeDhmgki32.exeDfiafg32.exeDfnjafap.exeBeglgani.exeDobfld32.exePnakhkol.exeBmpcfdmg.exeAnfmjhmd.exeAccfbokl.exeCjmgfgdf.exeCalhnpgn.exeDeagdn32.exeDogogcpo.exeAcjclpcf.exeBeeoaapl.exeCnffqf32.exeChokikeb.exeDdjejl32.exeBanllbdn.exeDejacond.exePmidog32.exeCaebma32.exeCjbpaf32.exeDknpmdfc.exe1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exePnonbk32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Pnonbk32.exePclgkb32.exePfjcgn32.exePnakhkol.exePqpgdfnp.exePflplnlg.exePcppfaka.exePjjhbl32.exePmidog32.exePdpmpdbd.exePjmehkqk.exeQmkadgpo.exeQceiaa32.exeQjoankoi.exeQddfkd32.exeQffbbldm.exeAnmjcieo.exeAcjclpcf.exeAeniabfd.exeAglemn32.exeAnfmjhmd.exeAepefb32.exeAccfbokl.exeBjmnoi32.exeBagflcje.exeBebblb32.exeBganhm32.exeBjokdipf.exeBeeoaapl.exeBmpcfdmg.exeBeglgani.exeBnpppgdj.exeBanllbdn.exeBhhdil32.exeBnbmefbg.exeBapiabak.exeBcoenmao.exeCndikf32.exeCmgjgcgo.exeCdabcm32.exeCfpnph32.exeCnffqf32.exeCaebma32.exeChokikeb.exeCjmgfgdf.exeCmlcbbcj.exeCagobalc.exeChagok32.exeCjpckf32.exeCmnpgb32.exeCajlhqjp.exeCdhhdlid.exeCffdpghg.exeCjbpaf32.exeCalhnpgn.exeDdjejl32.exeDfiafg32.exeDjdmffnn.exeDmcibama.exeDejacond.exeDhhnpjmh.exeDobfld32.exeDmefhako.exeDdonekbl.exe

pid	Process
5072	Pnonbk32.exe
1304	Pclgkb32.exe
1716	Pfjcgn32.exe
3652	Pnakhkol.exe
2160	Pqpgdfnp.exe
4452	Pflplnlg.exe
3900	Pcppfaka.exe
2348	Pjjhbl32.exe
2776	Pmidog32.exe
3612	Pdpmpdbd.exe
2840	Pjmehkqk.exe
2496	Qmkadgpo.exe
1496	Qceiaa32.exe
3068	Qjoankoi.exe
3568	Qddfkd32.exe
1188	Qffbbldm.exe
2516	Anmjcieo.exe
4820	Acjclpcf.exe
3404	Aeniabfd.exe
4552	Aglemn32.exe
2724	Anfmjhmd.exe
4980	Aepefb32.exe
4780	Accfbokl.exe
3364	Bjmnoi32.exe
792	Bagflcje.exe
432	Bebblb32.exe
2492	Bganhm32.exe
100	Bjokdipf.exe
4336	Beeoaapl.exe
4172	Bmpcfdmg.exe
4100	Beglgani.exe
4380	Bnpppgdj.exe
3380	Banllbdn.exe
1664	Bhhdil32.exe
4892	Bnbmefbg.exe
3864	Bapiabak.exe
3800	Bcoenmao.exe
4612	Cndikf32.exe
1976	Cmgjgcgo.exe
692	Cdabcm32.exe
3484	Cfpnph32.exe
3520	Cnffqf32.exe
4020	Caebma32.exe
64	Chokikeb.exe
2028	Cjmgfgdf.exe
4948	Cmlcbbcj.exe
4516	Cagobalc.exe
4744	Chagok32.exe
4064	Cjpckf32.exe
1988	Cmnpgb32.exe
3244	Cajlhqjp.exe
1540	Cdhhdlid.exe
3172	Cffdpghg.exe
5012	Cjbpaf32.exe
3572	Calhnpgn.exe
4484	Ddjejl32.exe
4048	Dfiafg32.exe
924	Djdmffnn.exe
1500	Dmcibama.exe
4420	Dejacond.exe
3248	Dhhnpjmh.exe
2992	Dobfld32.exe
3016	Dmefhako.exe
3196	Ddonekbl.exe

Drops file in System32 directory 64 IoCs

Processes:

Cagobalc.exePdpmpdbd.exeBagflcje.exeCndikf32.exeCmgjgcgo.exeDhocqigp.exePnakhkol.exeBnpppgdj.exeCmlcbbcj.exeCjbpaf32.exeDknpmdfc.exeBjmnoi32.exeBapiabak.exeDmefhako.exePqpgdfnp.exeCaebma32.exeCjpckf32.exeDaekdooc.exePclgkb32.exeAepefb32.exeAnmjcieo.exeCjmgfgdf.exeDogogcpo.exeBganhm32.exeBjokdipf.exePnonbk32.exeDodbbdbb.exeDhmgki32.exeChagok32.exeAeniabfd.exeDhhnpjmh.exeQffbbldm.exeDjdmffnn.exeDmcibama.exeCmnpgb32.exeDdjejl32.exeAccfbokl.exeCdabcm32.exePjmehkqk.exeQjoankoi.exeBhhdil32.exeDfiafg32.exeQddfkd32.exeAcjclpcf.exeDobfld32.exeCnffqf32.exeCalhnpgn.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4724	4960	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Aglemn32.exeCagobalc.exeCdhhdlid.exeAcjclpcf.exeBmpcfdmg.exeCjbpaf32.exeDdjejl32.exeDdonekbl.exePnakhkol.exePqpgdfnp.exePmidog32.exeDeagdn32.exeDmllipeg.exeAccfbokl.exeBjmnoi32.exeDobfld32.exe1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exeDodbbdbb.exeDhmgki32.exeAnfmjhmd.exeCnffqf32.exeCffdpghg.exeCalhnpgn.exeDjdmffnn.exeCmgjgcgo.exeAnmjcieo.exeBagflcje.exeBnbmefbg.exeDmcibama.exeDhocqigp.exeQmkadgpo.exeBanllbdn.exeCajlhqjp.exeBjokdipf.exePdpmpdbd.exeQceiaa32.exeAeniabfd.exeDfnjafap.exeDknpmdfc.exeQddfkd32.exeBeglgani.exeDmefhako.exeDaekdooc.exeCjmgfgdf.exeCmlcbbcj.exeChagok32.exePflplnlg.exeQjoankoi.exeBhhdil32.exeBeeoaapl.exeCndikf32.exeBapiabak.exeBcoenmao.exeDhhnpjmh.exeDogogcpo.exePcppfaka.exeQffbbldm.exeAepefb32.exePjmehkqk.exeBebblb32.exeCdabcm32.exeCfpnph32.exeCaebma32.exePnonbk32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe

Modifies registry class 64 IoCs

Processes:

Pflplnlg.exeAcjclpcf.exeBmpcfdmg.exeBanllbdn.exeCndikf32.exeDodbbdbb.exeDknpmdfc.exe1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exeBcoenmao.exeCmgjgcgo.exeDfiafg32.exeDmefhako.exeDhocqigp.exeAnmjcieo.exeQjoankoi.exeBjmnoi32.exeBeeoaapl.exeChagok32.exePclgkb32.exeBeglgani.exeDmcibama.exeDhmgki32.exePnonbk32.exeCjbpaf32.exeDaconoae.exeDogogcpo.exeCmlcbbcj.exeAccfbokl.exeBjokdipf.exeDjdmffnn.exePfjcgn32.exePcppfaka.exePdpmpdbd.exeQmkadgpo.exeAepefb32.exeBhhdil32.exeCjmgfgdf.exeCalhnpgn.exeAnfmjhmd.exeCjpckf32.exeDejacond.exeDaekdooc.exePmidog32.exePnakhkol.exeDobfld32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exePnonbk32.exePclgkb32.exePfjcgn32.exePnakhkol.exePqpgdfnp.exePflplnlg.exePcppfaka.exePjjhbl32.exePmidog32.exePdpmpdbd.exePjmehkqk.exeQmkadgpo.exeQceiaa32.exeQjoankoi.exeQddfkd32.exeQffbbldm.exeAnmjcieo.exeAcjclpcf.exeAeniabfd.exeAglemn32.exeAnfmjhmd.exe

description	pid	Process	procid_target
PID 4856 wrote to memory of 5072	4856	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe	82
PID 4856 wrote to memory of 5072	4856	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe	82
PID 4856 wrote to memory of 5072	4856	1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe	82
PID 5072 wrote to memory of 1304	5072	Pnonbk32.exe	83
PID 5072 wrote to memory of 1304	5072	Pnonbk32.exe	83
PID 5072 wrote to memory of 1304	5072	Pnonbk32.exe	83
PID 1304 wrote to memory of 1716	1304	Pclgkb32.exe	84
PID 1304 wrote to memory of 1716	1304	Pclgkb32.exe	84
PID 1304 wrote to memory of 1716	1304	Pclgkb32.exe	84
PID 1716 wrote to memory of 3652	1716	Pfjcgn32.exe	85
PID 1716 wrote to memory of 3652	1716	Pfjcgn32.exe	85
PID 1716 wrote to memory of 3652	1716	Pfjcgn32.exe	85
PID 3652 wrote to memory of 2160	3652	Pnakhkol.exe	86
PID 3652 wrote to memory of 2160	3652	Pnakhkol.exe	86
PID 3652 wrote to memory of 2160	3652	Pnakhkol.exe	86
PID 2160 wrote to memory of 4452	2160	Pqpgdfnp.exe	87
PID 2160 wrote to memory of 4452	2160	Pqpgdfnp.exe	87
PID 2160 wrote to memory of 4452	2160	Pqpgdfnp.exe	87
PID 4452 wrote to memory of 3900	4452	Pflplnlg.exe	88
PID 4452 wrote to memory of 3900	4452	Pflplnlg.exe	88
PID 4452 wrote to memory of 3900	4452	Pflplnlg.exe	88
PID 3900 wrote to memory of 2348	3900	Pcppfaka.exe	89
PID 3900 wrote to memory of 2348	3900	Pcppfaka.exe	89
PID 3900 wrote to memory of 2348	3900	Pcppfaka.exe	89
PID 2348 wrote to memory of 2776	2348	Pjjhbl32.exe	90
PID 2348 wrote to memory of 2776	2348	Pjjhbl32.exe	90
PID 2348 wrote to memory of 2776	2348	Pjjhbl32.exe	90
PID 2776 wrote to memory of 3612	2776	Pmidog32.exe	91
PID 2776 wrote to memory of 3612	2776	Pmidog32.exe	91
PID 2776 wrote to memory of 3612	2776	Pmidog32.exe	91
PID 3612 wrote to memory of 2840	3612	Pdpmpdbd.exe	92
PID 3612 wrote to memory of 2840	3612	Pdpmpdbd.exe	92
PID 3612 wrote to memory of 2840	3612	Pdpmpdbd.exe	92
PID 2840 wrote to memory of 2496	2840	Pjmehkqk.exe	93
PID 2840 wrote to memory of 2496	2840	Pjmehkqk.exe	93
PID 2840 wrote to memory of 2496	2840	Pjmehkqk.exe	93
PID 2496 wrote to memory of 1496	2496	Qmkadgpo.exe	94
PID 2496 wrote to memory of 1496	2496	Qmkadgpo.exe	94
PID 2496 wrote to memory of 1496	2496	Qmkadgpo.exe	94
PID 1496 wrote to memory of 3068	1496	Qceiaa32.exe	95
PID 1496 wrote to memory of 3068	1496	Qceiaa32.exe	95
PID 1496 wrote to memory of 3068	1496	Qceiaa32.exe	95
PID 3068 wrote to memory of 3568	3068	Qjoankoi.exe	96
PID 3068 wrote to memory of 3568	3068	Qjoankoi.exe	96
PID 3068 wrote to memory of 3568	3068	Qjoankoi.exe	96
PID 3568 wrote to memory of 1188	3568	Qddfkd32.exe	97
PID 3568 wrote to memory of 1188	3568	Qddfkd32.exe	97
PID 3568 wrote to memory of 1188	3568	Qddfkd32.exe	97
PID 1188 wrote to memory of 2516	1188	Qffbbldm.exe	98
PID 1188 wrote to memory of 2516	1188	Qffbbldm.exe	98
PID 1188 wrote to memory of 2516	1188	Qffbbldm.exe	98
PID 2516 wrote to memory of 4820	2516	Anmjcieo.exe	99
PID 2516 wrote to memory of 4820	2516	Anmjcieo.exe	99
PID 2516 wrote to memory of 4820	2516	Anmjcieo.exe	99
PID 4820 wrote to memory of 3404	4820	Acjclpcf.exe	100
PID 4820 wrote to memory of 3404	4820	Acjclpcf.exe	100
PID 4820 wrote to memory of 3404	4820	Acjclpcf.exe	100
PID 3404 wrote to memory of 4552	3404	Aeniabfd.exe	101
PID 3404 wrote to memory of 4552	3404	Aeniabfd.exe	101
PID 3404 wrote to memory of 4552	3404	Aeniabfd.exe	101
PID 4552 wrote to memory of 2724	4552	Aglemn32.exe	102
PID 4552 wrote to memory of 2724	4552	Aglemn32.exe	102
PID 4552 wrote to memory of 2724	4552	Aglemn32.exe	102
PID 2724 wrote to memory of 4980	2724	Anfmjhmd.exe	103

C:\Users\Admin\AppData\Local\Temp\1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe
"C:\Users\Admin\AppData\Local\Temp\1e7d1e54703db83ba35742d8618b546ecb6f927bd9b60318e560c1139cb406d5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\Pnonbk32.exe
  C:\Windows\system32\Pnonbk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\Pclgkb32.exe
    C:\Windows\system32\Pclgkb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\Pfjcgn32.exe
      C:\Windows\system32\Pfjcgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 408
        76⤵
        Program crash
        
        PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4960 -ip 4960
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
384KB

MD5
edb1c347f97e8dfeacbb4e3639152c94

SHA1
ce4c62886a0cb9ea3d0aa21d98a5f4c9f2e56c07

SHA256
d2a156cb622c766f99ada7f538cd1804a50a81dcdbfa12905f66346c3f928f8a

SHA512
58609441491e836d927dc87aa6eb525ccddd9ba9ed5f19a0644d473dcfd097176e7a58eb2f1fccfa4090faf7f5594631784c4f8cd2d2cb95b921a79b980432b6

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
384KB

MD5
aef400ae8b6c93394cebb59dc1161ab5

SHA1
38da054bb5bb7639f9bf4afc8d2642b87b6ea55a

SHA256
0e8ce52a968b45362597d5e29fcfd5891bae98eb4e710178d0c25673ca12e121

SHA512
0ec6c501680152483597bdae6caa2c18c034fe394b9ece2ce57ef0de3b62d718eaa268cc486f17b4fc10067d655fb725263d6a43a66ed69733c735c44d56001f

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
384KB

MD5
fc193cca4ef6d18159e7c6c97d7785fb

SHA1
22ecdb554eb63b1660203838ef2720166ae938cf

SHA256
a6fc962d18d2192d674fed0280a4b03872300460e685d1ef6ffaa537511960ee

SHA512
2c092f04e2dc488c40a87596ec29cc16f320a4352931b134f46db58f408389d946a946d272d52563be0e71e7b72256e6f97edafa2850a08644e4882cc42dbfcd

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
384KB

MD5
b7939ed895f271fe437ab6f59a5a36fe

SHA1
63fcdedaf7693f075c1493b73d2badb333036378

SHA256
83d0ca1cbe71ccbbda877ec96e824bf2c14a4aad085a43d4057d3e6daab882c3

SHA512
29afce1ffdd61ea6a21c2306cf46dc9c09bd210da4787464ee550c024c77c9984a6bfdee47b6671195e2c2dccc6ee70985f84637b5e4c85647c321bafca766da

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
384KB

MD5
5b887951738160872b2b94b2dfdf426c

SHA1
4000da3e13ba7be4bae36ec7c73100a4090cf984

SHA256
c4545a96259a0722acee2cec39aa1d55d76ad605eea9acb9cb63cbe304de44fd

SHA512
7f29f0cbfc460d2078e842d749e5f00d9b559cc005d31767889385194c9aaa9c2b32af3cf84c74ffb2b9189b5226f2a6180c9f067b23c75f3026107634758ca2

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
384KB

MD5
9b4c372daeefca0934948ddcb35574e8

SHA1
f1f7bee1ee5a19ff03144a7faf63d0df3f4f8c5c

SHA256
8c318f76ec4df974044ec05f72dbf79ff7264d4fff4a3ef35d371ac4e1034f07

SHA512
51a20e370f88ecf831cdcc0f2bab26d886bbcb157eae1036fed4adfa19bbb8e140997b888704978bbef00ba3f9867f6dd01239320b1240a3ad0083113f14819d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
384KB

MD5
4e8648a8a43145c59be715ce33b11161

SHA1
a2c750a493cc18c9b64bb02138a7c7aed89e9900

SHA256
1337ffbc4136d0409c1b72f8a857f95ed4c7b731595879f954d6fbe9a0798b54

SHA512
f8e4b9067ef57e6c4ba1233f8d17aaf8a5d95fec1fa4b528cfe18d2a423afea9158a5565bd3e0facbc87b5698821a6cddf4d2e5dab410eeb913dadf1888965cc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
384KB

MD5
14423bbc7b74e86fdd0055e8473a8473

SHA1
b91a015f0335e093dbdc87ba5451ac63e065e821

SHA256
16870bca5489c6c2833a28ac42c2d71e2ec5ecda26a32aca07fcef80c98a329d

SHA512
0e12fac302de2b88a94aaa7617a0c36477a4672268eb168fd43fd7ea75ee3debf2d547005a46aa658f3ae55c8ed049e8d01a9bc38255c525a6f644e6b7a07d5a

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
384KB

MD5
d08b26839870a1d06b738c82db67dd17

SHA1
d7a151ec1b6903aa06a4b8e17364a07cc8de9cb4

SHA256
ae0ccb9ee3975deb4d614aa067948920b708c09da1ecbbf00cd7711f53fc07bb

SHA512
3d10933bf51ebe1fdd870a98c2f921fff25f29b95e0731ec3a84db20f67bf7b83ce42797e2e578015d25873cba80d7d2c098144871cd8b04a099b300514035eb

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
384KB

MD5
f3c16c440fd69103326621e3207dc94c

SHA1
848559b4913b0d7c713146fa118ffed2f769ba9e

SHA256
2db0d3344dffe2079cef686b30fdbc84c44f2a4dc58c6df530e4f5595bae65dd

SHA512
5ad1e1ca600a17f60397dbddbaafbbf2a6b6a4e541a2910b949cef61befeae98bc7f35ba7b0a1376176b364298d119eca97fbfa5d00caaed321619a4c96bcb71

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
384KB

MD5
8fe9eda04d39a1b92b99bb117fa96e6f

SHA1
20eba5ad6f8b93d805c78704054a89c7248c6efa

SHA256
4d747ae878c711078a4a9f5acb9d1a7e07a79666e9950317c0f24d761634294f

SHA512
8be8e51cf721202ea9f80dd68707af1ed83b79670b8b26931c71ec7ad3b6b39ca063e929fae01f37ca2daebc2c33cc368f2c8b5fcfb79ebcaf8390a333365c38

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
384KB

MD5
e92954bda89b1695d1ca58a8e353d75c

SHA1
3c9c245cd59546305e8589aefce414dfabe015b4

SHA256
6dfb6471628ab160fffe6b87ad821ca55d3de3b0cd8abb778fed59aa293ff7d9

SHA512
4af81943db84308768b4e79d0e9962de266312656f7d165fcebbb561278442169c2cf3c144b79b6373f2c118c239a7c421eadd464f1f56d864908f694571cd6a

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
384KB

MD5
7064c0438c726a91b03dad510067b3d2

SHA1
4797b609f88b26b883009f7194698dc46fac6e2b

SHA256
ce4630d5cf8788878ce5bd655dae73b14bc2ac07040081d9bdb32ca6b3bdaa99

SHA512
4afd06f4a3d262315c053a61278029318c8436c357f97593373655c538c78e4c57055ac855c9315b026ce788f83ee4312bfb59f130963aa2a3665ac614235653

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
384KB

MD5
0cb594833c13f869b64e2475bd487a13

SHA1
564ba0d8f9b2a9ea302ed1f678b688cf201ae4a0

SHA256
4ca5d0ac7c323c4385a84aea697293cb50efca42bb37128c17f63bb2d6a6432c

SHA512
f0c56d09e9cacc45e25a9ba39c387ef3baf46cd960c0768d9eeda75c256aaee900beb8758ad8dc73ad187ea6d5a448afad6dfa8510137e1d2e3e670a2c62c1e8

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
384KB

MD5
f6a8245f959cab9fbcd18d89044a176c

SHA1
62fea54aba3b05b4fbc85c0d67d8da131b2fe8b6

SHA256
5ac49e35f5ff23a72a1fa1a3556f378777a8cd2012de413a8b5383e687d6fcc0

SHA512
c50c894286bc9f68a82da155e90536b75ad56df1799feec4c776525e61dc586595ae1f506c1a04b382b21ec0cca7b9821a602a278a774a4253111408aaf3c131

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
384KB

MD5
c00c02f745dbb5a97b84183606164502

SHA1
8f5baf10a9603ae936cfd42e455cf2fb9980cdf8

SHA256
87ab771feaa10b5f71351dbec211faab3b7575a1ea60636bb7631d0f77e2f9f0

SHA512
d083a85012e0c2d54c0d0c1e965078bb3066422fe8b8393a533e60636b41dd4323685d86ba49b84df57ebb3674c120b90c6ffb9f68494b6c8563fc7667c185a7

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
384KB

MD5
50d1983b5d82afde1c584ea4a010c7f1

SHA1
17ec3ec8ee05d1638ed9533c48b0823037988035

SHA256
7508a0f361b77266b88feb2cbd7617a01c73f6a9ac7dd9fd3bf031dcf0c5e3f1

SHA512
490c4c9ca757b7ede8649161cf4b5ae86151eb76bacb6dc8fd3854f8c1f53afed3abca21d69ae0aa273b8b8ec3ad36aa703f7ac72e7ae466e10fd35465c946cb

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
384KB

MD5
fe99c90b2ede831f2105d0ee0d78f7db

SHA1
db840bfe6b0a62eaae682328dbd1344c646a4040

SHA256
76a9208935834a47782c64e9bb803d2309b60662f533af825b85f1c17fd109e8

SHA512
c37cf2ad28b3f0c08284069b9800af18e9dc84effd32b1e634a1aac9b35afa11ab4b2a6a0172125c5a8d74ef953d97a392fc3ab8bf0529bb5c5e9df2be5aa1a5

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
384KB

MD5
45e65bf26c10971bd15a95023268dcea

SHA1
7e0c114878a6d92afb17952a1799bf25350708fa

SHA256
a341056324b7bbb592a28b4866f6c49d1f47835c35236605d0c20aa3bef16e59

SHA512
44726173d5c4aef90efef52e6345437e00160f68a68ab81d492a4633781d6f2ea0d02b52144c8b78aff5f49cdcc1b514a5d393b5ab58828051c20abe07603f3e

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
384KB

MD5
5c8938e8a94919005d550420997913f7

SHA1
b7a77f607ee88495020a3b1b4506314aadc28058

SHA256
ad8c858a6b42278d487b3bcbfeb70b8f473cc94463a1e410f6dce92c329ed69b

SHA512
d16ab23576326a3583164c08b65b33f0c688c11555bf9b66fcff1da8061b7a4b0983f2541fc19d4996cf2ad28608d82be6fd494fa2b6eff6eb4a9b564a2b3a9b

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
384KB

MD5
9ca2b41864d529556a1c021b57a364e6

SHA1
af8611dceaa1156b99af8cbcc59d01ccfb1d220b

SHA256
78e2f51674742583019dec1be3224982d96b540f45869c43d5bd85a14baa466e

SHA512
6c654e346892adbc623ce5d8bdd56ee151a98afcf8714879cdce14f6d014a53fbbc17cd7dfa7256906835fe7617427237ebf10ba3762f03b9205e02032d622d6

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jocbigff.dll

Filesize
7KB

MD5
62faf4df300346dcd38c342d86521082

SHA1
52d6a0a911feec30e2aa4ca23478092a9fae2b33

SHA256
f0c1041be7336034ca96444cfeb851ed2b5247ccf02f445c5aabb9a0e26112e6

SHA512
c1fd93a4e43aeb636d6169632388a5b898a923ed8d57ccb2fe95afead09b13614eab02d68afff5ca8ed013c12e02035b812ad1aa78c65277068e322db54ac767

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
384KB

MD5
cc75829a07d754726fa98e297df55428

SHA1
6fe5a365c50ba5f818860565ab3cc768838311e8

SHA256
dfbebfaa73599b312128d823b1ea8bd9b98951c24027f592d78ba42ed95ea20d

SHA512
f8a0896ee45b46efd85bd30e18b0c131315f37af3d6ddcefced099f6b0623f348d953ee344a2325bdc63d13f0974566e1f57485ad55e4a94eeb66ce2f8731cf2

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
384KB

MD5
95c10174c6b58cf59170ca0527dd43ab

SHA1
a5d7a80cf333f7d14ba4edf7260778f169e2287f

SHA256
e0400abe9143406aa70f68934bbb84ff361b3cfbef3c696998fa3d5a3512e3cc

SHA512
8ba331b186d5d8b85f7794b1100378e345966e972288194db34dbe396f044113f3203e94ef53fc77f9fe97b1eab96ba00e2f3ceea95aa57943e291f84b3861e1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
384KB

MD5
586e517f0cbeff8518d47b9396ef8053

SHA1
5f471555790d1beb00f95caceac972e44d06375e

SHA256
a5de33e1c310677523766c97b76e2462b03b3a1913ea5de0159a6e692591ac6c

SHA512
7bc1650726b392807f0df446b697dbedcd361ec02678644438ad2a72715b3de727766b61d893093d9de1b3d80a57de63116cf72ba0d79cfd7cef3d8090281c7c

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
384KB

MD5
bdc582019650b2476a8424038f579acc

SHA1
13f65cc94a83166d904797fb1b5cf53beed1c2a2

SHA256
6d0384b87242302574408400f46cb2900822406353d234b3d6524d52b7c20b9d

SHA512
c019d57e3a5126b7f1234471113bf2fee45276f2afef3db78b4745a0ea6eacc6622757b931e7efa8882653e0d4a924377a30c3f3e97c36e9020c506c01f68b2c

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
384KB

MD5
3b9e1038cac70ac11d4d429ece035491

SHA1
164a740e2bc169cf4126d2bbeaa6838efe9f5c3e

SHA256
12a4fc1a739f816fbffe7022bedbcef53a5bb5f85af4cefaa9cf393440d916ce

SHA512
f3c0899ab438d98d29e3a7e1366c9421628e877f93ede5b6fe8549a5e230bd7ac72f96ef6df39889d11f17cfd1ab9535337b37352d32430cbad8559a7c173dbf

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
384KB

MD5
fec2cd4f7a3cff27aba0c5d7913e7ed7

SHA1
9bfbb9a8a4a523c7ad82d7514a58346ba265269b

SHA256
10e2ee37b05ad88f5256a4ce3a3118c0472d512274aa6b6df295374822b94b27

SHA512
05ce4db97743fb3a3206d84fe2b7e727d9d3dd4c9392ec29da1ae32a4711f9e861b4b4e41d824ace776ae4f09dd3e80e5631bbfaf3f2678253f9dcf118592db2

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
384KB

MD5
3844921dbb733b4adbc7ae78e861daa3

SHA1
2a0088e54cc2e351210cb32938e8a3d3de20304f

SHA256
9b84bfd07e367c7ccd5f42aa29e03a319943b8bc4925f8b0fff3df9c6e39ab3b

SHA512
dc164f30e15f78626207f85d113208383c8e7e4e85394b3f245816ffa405e18fc1be2f76fbff6685a81d3bcc8bfd8082fa5e9991709c755eb2f344f4347825f6

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
384KB

MD5
79e7ad037e608158bc9f1de4fca087b0

SHA1
f79253b34d742af2b4580e9a2bdf18571415d4b3

SHA256
0092e2feb5e275d7f7956c8757e1af2e5e5baac73097045c41ee2949fa05390a

SHA512
68ebacc7f94b006c873fddbf0749eee8ad50bfc22715860238ecee45aad91ead1f0a718de5979a525d4ebac686f5768e49a921205a41f5bbbfa6de51f296092b

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
384KB

MD5
48d46b08240f97bee2b485161fef5161

SHA1
cfab7e8946ce03cccd7274aec5041174b343b03b

SHA256
52a74ae3b37bdd7ad552fb1c64d86fac31b4b41b779032ad1224f9f04d0e36c7

SHA512
df170d5af3378829d4624a1a7429522a7a08fa81c95353929ac3977b9725968be39d6aedab0c85a8cf03303ab5b02d71f0969c48b8d91dfded82dbbd6a85e624

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
384KB

MD5
07cd5352d806fe6f8a6e8d69a508ed80

SHA1
fbcc7eae7065a486cefcbe8d15bc4a64de98d802

SHA256
5ce607b5cb492bf275baa11da50ad09f59d4ff04c13d8f3e41387d6d18f5bfce

SHA512
ae8ec5f858c965c099831f6b2ba97238d384fdb98b5e625cdd52209390221f18afa3a129c659c64e4e6c204584274baa782c325970efcf37ccee22ea1d9f20dc

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
384KB

MD5
fb04a64d46791c49eb1dabc1b6190c8c

SHA1
fd0b2dfa31d686c68bb475b751a3ba322ce4a7a4

SHA256
a35c3183d4e174d9a2ce2f534d32a4051eb25a97b22f0accb5074d13537c1e63

SHA512
9304f66f50c5c88fefd399ef322a5ded3f8c00b54c71bc04edcde936f6b461d3ae34d084c3539c12856e234d6fd3c1d380dc003166be6eb08715957fd0177474

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
384KB

MD5
17a0159de4af16b4ca81d4fbf38fe45f

SHA1
da31dbeaac915ca6051b9175c3795bfa32dfdc56

SHA256
05d6a2df66349fbc2e5e7ecef059bacbf52a0a14cc6949468dcdadefa84bb1c7

SHA512
3eafaa317464411fff223f3f0f9de4f1f8f66fbc155513ac0c13df241822c4ab2038f4ecf4a5d6d563ac950b4bdd5f71d7445b36a40c634c221905431a2154b4

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
384KB

MD5
7012d362df7ab094dd615030e0eac2ae

SHA1
e02edcebcaf18d14edbfa5dd4fa0ef7a745e2b14

SHA256
af797b5ff611c7d6034f1913679a940c3c66cdd46d30ca7a2a625fbf79c1e3a6

SHA512
d6669c3c57646f250af2dcfbb69006eaeea0a9fe0b36bb058cf87a99ea41a2514b65b076396074c2c5730532f925e0f0c3c627be1644773a037eef5c5a5029bd

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
384KB

MD5
7ce42b29f64d269ddec1709495e8d8cf

SHA1
4ed77c3239b378f9272d7806d619d90c46b1a2e6

SHA256
ff1c7a7f3c9f2b24926f9103331d1d602c3deb7f53bce7023d53bab45c5af0fc

SHA512
ecd669acac8802baac6cf717a74724099df69b79091ebade344fdf237f6cf7cc57db6d64ad5d0e558e2132ae148a7aa11fc92d4d00bdc20645a8c0c9af1e8112

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
384KB

MD5
34491db9b0f7fe5fc6300745380556eb

SHA1
3972cd84ee5b801bb1c5cbb82070328091e33c36

SHA256
dceecdca13912af1030b668522fdb676490ea7a76c0d25677834525c0f9a2ab8

SHA512
26292d896346ce9efee676c43bf6d18d462ab1c158c97979eeebcd7d0de29f8b817c309d1bab2017a8d9d04097c2b9083bd33c7db0a3c536dcc776a6456b5491

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
384KB

MD5
f61282db9a6f81b7488738ad49002c68

SHA1
3d4e8f80fbc9ceec75b3e883f0a37025638f31e2

SHA256
1a147e8beba94cbdf9c5f01a5474ba75ba6d57f66b52891677b8d32c2ff8de83

SHA512
10ca70a70ab8814706a2fbc17a0c08c41560773170af2d4d7c8a3f0f1cde2b08ac7ea0178a1f58a8b0de0480b1f8e86985c006f99b8b08e180f67ee6b8fd0604

Download Submit
memory/64-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download