54551f25e02605eadac5202fc25462d744181c495de4cdc5c51b762854b72d6d

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2304749f98d01d72c6b0fde173e1784c.exe
Size

128KB
MD5

2304749f98d01d72c6b0fde173e1784c
SHA1

3b6dbaecd2e9d3786861136781e7cefa902daa13
SHA256

54551f25e02605eadac5202fc25462d744181c495de4cdc5c51b762854b72d6d
SHA512

d272e0ebab3dfba455c3170ea303b826007afa85f89cc6f663517e9334f4c568ee4dbd86a84378906f2a08ecde73f909804ef4315a096311a24ad1922894fab4
SSDEEP

1536:6a71cbuDa9neub6sfWQaYjZ3qZZQq47ChXHZcWiqgF72S7f/QuMXi1oHk3CYyq:6c1qu+TfWQv/57oXHmW2wS7IrHrYj

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gcmpgpkp.exeNjmejp32.exePjjaci32.exeNkebee32.exeEoekde32.exeHjlaoioh.exeAgcdnjcl.exeDbbdip32.exeOakjnnap.exeDbckcf32.exeHohjgpmo.exeLjoiibbm.exePdofpb32.exeKggjghkd.exeMdkabmjf.exeEoladdeo.exe2304749f98d01d72c6b0fde173e1784c.exeFofdkcmd.exeGedfblql.exeIiaggc32.exeDioiki32.exeBkhjpn32.exeLiifnp32.exeNemchn32.exeMpqklh32.exeNmpkakak.exeAaofedkl.exeEhkcgkdj.exeEohhie32.exeFibfbm32.exeFoonjd32.exeAbbiej32.exeCejaobel.exeOogdfc32.exeFpnkdfko.exeGgfobofl.exeOgjpld32.exeDojlhg32.exeNdjcne32.exeBgeadjai.exeDalkek32.exePkonbamc.exeBkadoo32.exeHqjcgbbo.exeOknnanhj.exeIoppho32.exeEedmlo32.exeIqaiga32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcmpgpkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjaci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkebee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoekde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjlaoioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbbdip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oakjnnap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbckcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hohjgpmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hohjgpmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljoiibbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kggjghkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljoiibbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkabmjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoladdeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2304749f98d01d72c6b0fde173e1784c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofdkcmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gedfblql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaggc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dioiki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhjpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjlaoioh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liifnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nemchn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpqklh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkakak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehkcgkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eohhie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fibfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foonjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpqklh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cejaobel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oogdfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eohhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoladdeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpnkdfko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggfobofl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjpld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Foonjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjcne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndjcne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgeadjai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkonbamc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkadoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqjcgbbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dojlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehkcgkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fofdkcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioppho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eedmlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eedmlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcmpgpkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqaiga32.exe

Malware Dropper & Backdoor - Berbew 45 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Gcngafol.exe	family_berbew
C:\Windows\SysWOW64\Mdkabmjf.exe	family_berbew
C:\Windows\SysWOW64\Mgngih32.exe	family_berbew
C:\Windows\SysWOW64\Nkebee32.exe	family_berbew
C:\Windows\SysWOW64\Nemchn32.exe	family_berbew
C:\Windows\SysWOW64\Oogdfc32.exe	family_berbew
C:\Windows\SysWOW64\Ogjpld32.exe	family_berbew
C:\Windows\SysWOW64\Oakjnnap.exe	family_berbew
C:\Windows\SysWOW64\Ogjpld32.exe	family_berbew
C:\Windows\SysWOW64\Pnhacn32.exe	family_berbew
C:\Windows\SysWOW64\Pkonbamc.exe	family_berbew
C:\Windows\SysWOW64\Qnpgdmjd.exe	family_berbew
C:\Windows\SysWOW64\Abbiej32.exe	family_berbew
C:\Windows\SysWOW64\Bkadoo32.exe	family_berbew
C:\Windows\SysWOW64\Bkadoo32.exe	family_berbew
C:\Windows\SysWOW64\Bkhjpn32.exe	family_berbew
C:\Windows\SysWOW64\Belemd32.exe	family_berbew
C:\Windows\SysWOW64\Cejaobel.exe	family_berbew
C:\Windows\SysWOW64\Dbckcf32.exe	family_berbew
C:\Windows\SysWOW64\Dojlhg32.exe	family_berbew
C:\Windows\SysWOW64\Dojlhg32.exe	family_berbew
C:\Windows\SysWOW64\Ehkcgkdj.exe	family_berbew
C:\Windows\SysWOW64\Eifffoob.exe	family_berbew
C:\Windows\SysWOW64\Eoekde32.exe	family_berbew
C:\Windows\SysWOW64\Eohhie32.exe	family_berbew
C:\Windows\SysWOW64\Eedmlo32.exe	family_berbew
C:\Windows\SysWOW64\Fibfbm32.exe	family_berbew
C:\Windows\SysWOW64\Foonjd32.exe	family_berbew
C:\Windows\SysWOW64\Fpnkdfko.exe	family_berbew
C:\Windows\SysWOW64\Eoladdeo.exe	family_berbew
C:\Windows\SysWOW64\Fofdkcmd.exe	family_berbew
C:\Windows\SysWOW64\Gheodg32.exe	family_berbew
C:\Windows\SysWOW64\Ggfobofl.exe	family_berbew
C:\Windows\SysWOW64\Gcmpgpkp.exe	family_berbew
C:\Windows\SysWOW64\Hfniikha.exe	family_berbew
C:\Windows\SysWOW64\Hohjgpmo.exe	family_berbew
C:\Windows\SysWOW64\Hqjcgbbo.exe	family_berbew
C:\Windows\SysWOW64\Gedfblql.exe	family_berbew
C:\Windows\SysWOW64\Eoladdeo.exe	family_berbew
C:\Windows\SysWOW64\Igkadlcd.exe	family_berbew
C:\Windows\SysWOW64\Iiaggc32.exe	family_berbew
C:\Windows\SysWOW64\Imjgbb32.exe	family_berbew
C:\Windows\SysWOW64\Mpqklh32.exe	family_berbew
C:\Windows\SysWOW64\Nkdlkope.exe	family_berbew
C:\Windows\SysWOW64\Bgeadjai.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Gcngafol.exeMdkabmjf.exeMgngih32.exeNkebee32.exeNemchn32.exeOogdfc32.exeOakjnnap.exeOgjpld32.exePnhacn32.exePkonbamc.exeQnpgdmjd.exeAbbiej32.exeBkadoo32.exeBelemd32.exeBkhjpn32.exeCejaobel.exeDbckcf32.exeDojlhg32.exeEifffoob.exeEhkcgkdj.exeEoekde32.exeEohhie32.exeEedmlo32.exeEoladdeo.exeFibfbm32.exeFoonjd32.exeFpnkdfko.exeFofdkcmd.exeGedfblql.exeGheodg32.exeGgfobofl.exeGcmpgpkp.exeHfniikha.exeHjlaoioh.exeHohjgpmo.exeHhckeeam.exeHqjcgbbo.exeIoppho32.exeIqaiga32.exeIgkadlcd.exeImhjlb32.exeIcbbimih.exeImjgbb32.exeIoicnn32.exeIiaggc32.exeKjlcmdbb.exeKggjghkd.exeLiifnp32.exeLjoiibbm.exeMpqklh32.exeNjmejp32.exeNmpkakak.exeNdjcne32.exeNkdlkope.exeOknnanhj.exePjjaci32.exePdofpb32.exeQjcdih32.exeAaofedkl.exeAgcdnjcl.exeBgeadjai.exeCebdcmhh.exeDndlba32.exeDioiki32.exe

pid	process
4408	Gcngafol.exe
2788	Mdkabmjf.exe
388	Mgngih32.exe
2428	Nkebee32.exe
1916	Nemchn32.exe
408	Oogdfc32.exe
1672	Oakjnnap.exe
1840	Ogjpld32.exe
4648	Pnhacn32.exe
2544	Pkonbamc.exe
2440	Qnpgdmjd.exe
2724	Abbiej32.exe
2884	Bkadoo32.exe
3948	Belemd32.exe
908	Bkhjpn32.exe
792	Cejaobel.exe
1420	Dbckcf32.exe
3548	Dojlhg32.exe
1692	Eifffoob.exe
456	Ehkcgkdj.exe
4616	Eoekde32.exe
1912	Eohhie32.exe
2248	Eedmlo32.exe
2384	Eoladdeo.exe
2532	Fibfbm32.exe
1264	Foonjd32.exe
3132	Fpnkdfko.exe
4344	Fofdkcmd.exe
2004	Gedfblql.exe
4756	Gheodg32.exe
2188	Ggfobofl.exe
1968	Gcmpgpkp.exe
4076	Hfniikha.exe
3720	Hjlaoioh.exe
4960	Hohjgpmo.exe
3372	Hhckeeam.exe
984	Hqjcgbbo.exe
1904	Ioppho32.exe
4184	Iqaiga32.exe
2260	Igkadlcd.exe
4664	Imhjlb32.exe
1632	Icbbimih.exe
3060	Imjgbb32.exe
2324	Ioicnn32.exe
3840	Iiaggc32.exe
3960	Kjlcmdbb.exe
3940	Kggjghkd.exe
4628	Liifnp32.exe
3136	Ljoiibbm.exe
3752	Mpqklh32.exe
4252	Njmejp32.exe
940	Nmpkakak.exe
4160	Ndjcne32.exe
2336	Nkdlkope.exe
5012	Oknnanhj.exe
4364	Pjjaci32.exe
2108	Pdofpb32.exe
1544	Qjcdih32.exe
3552	Aaofedkl.exe
4720	Agcdnjcl.exe
2784	Bgeadjai.exe
3832	Cebdcmhh.exe
4728	Dndlba32.exe
5004	Dioiki32.exe

Drops file in System32 directory 64 IoCs

Processes:

2304749f98d01d72c6b0fde173e1784c.exeEifffoob.exeHhckeeam.exePjjaci32.exeEoekde32.exeFibfbm32.exeIoicnn32.exeHfniikha.exeNjmejp32.exeDojlhg32.exeIgkadlcd.exeIcbbimih.exeCebdcmhh.exeIoppho32.exeDioiki32.exeNkdlkope.exeOknnanhj.exePkonbamc.exeGheodg32.exePdofpb32.exeAaofedkl.exeDalkek32.exeNdjcne32.exeMdkabmjf.exeEohhie32.exeAbbiej32.exeIqaiga32.exeFpnkdfko.exeQnpgdmjd.exeLjoiibbm.exeHjlaoioh.exeBkadoo32.exeEhkcgkdj.exeAgcdnjcl.exeGcngafol.exeGcmpgpkp.exeBelemd32.exeEoladdeo.exeDbbdip32.exeNmpkakak.exeEedmlo32.exeMgngih32.exeOogdfc32.exeDbckcf32.exeMpqklh32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Gcngafol.exe	2304749f98d01d72c6b0fde173e1784c.exe
File created	C:\Windows\SysWOW64\Ehkcgkdj.exe	Eifffoob.exe
File created	C:\Windows\SysWOW64\Hqjcgbbo.exe	Hhckeeam.exe
File created	C:\Windows\SysWOW64\Pdofpb32.exe	Pjjaci32.exe
File opened for modification	C:\Windows\SysWOW64\Eohhie32.exe	Eoekde32.exe
File created	C:\Windows\SysWOW64\Dngnaa32.dll	Fibfbm32.exe
File created	C:\Windows\SysWOW64\Qeikficp.dll	Ioicnn32.exe
File created	C:\Windows\SysWOW64\Hgnlgdfg.dll	Hfniikha.exe
File created	C:\Windows\SysWOW64\Oakojnlp.dll	Njmejp32.exe
File created	C:\Windows\SysWOW64\Cjkjpdog.dll	Dojlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Imhjlb32.exe	Igkadlcd.exe
File created	C:\Windows\SysWOW64\Imjgbb32.exe	Icbbimih.exe
File created	C:\Windows\SysWOW64\Dhiljk32.dll	Hhckeeam.exe
File opened for modification	C:\Windows\SysWOW64\Dndlba32.exe	Cebdcmhh.exe
File opened for modification	C:\Windows\SysWOW64\Iqaiga32.exe	Ioppho32.exe
File opened for modification	C:\Windows\SysWOW64\Dalkek32.exe	Dioiki32.exe
File created	C:\Windows\SysWOW64\Bilflj32.dll	Dioiki32.exe
File created	C:\Windows\SysWOW64\Oknnanhj.exe	Nkdlkope.exe
File created	C:\Windows\SysWOW64\Ghlbcolh.dll	Oknnanhj.exe
File opened for modification	C:\Windows\SysWOW64\Qnpgdmjd.exe	Pkonbamc.exe
File opened for modification	C:\Windows\SysWOW64\Foonjd32.exe	Fibfbm32.exe
File created	C:\Windows\SysWOW64\Ggfobofl.exe	Gheodg32.exe
File opened for modification	C:\Windows\SysWOW64\Qjcdih32.exe	Pdofpb32.exe
File created	C:\Windows\SysWOW64\Agcdnjcl.exe	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Apleaenp.dll	Dalkek32.exe
File opened for modification	C:\Windows\SysWOW64\Imjgbb32.exe	Icbbimih.exe
File created	C:\Windows\SysWOW64\Oohcle32.dll	Ndjcne32.exe
File created	C:\Windows\SysWOW64\Mgngih32.exe	Mdkabmjf.exe
File opened for modification	C:\Windows\SysWOW64\Ehkcgkdj.exe	Eifffoob.exe
File created	C:\Windows\SysWOW64\Phiaee32.dll	Eohhie32.exe
File opened for modification	C:\Windows\SysWOW64\Bkadoo32.exe	Abbiej32.exe
File created	C:\Windows\SysWOW64\Clnkig32.dll	Iqaiga32.exe
File opened for modification	C:\Windows\SysWOW64\Fofdkcmd.exe	Fpnkdfko.exe
File created	C:\Windows\SysWOW64\Jibdpo32.dll	Cebdcmhh.exe
File opened for modification	C:\Windows\SysWOW64\Oknnanhj.exe	Nkdlkope.exe
File opened for modification	C:\Windows\SysWOW64\Abbiej32.exe	Qnpgdmjd.exe
File created	C:\Windows\SysWOW64\Eedmlo32.exe	Eohhie32.exe
File created	C:\Windows\SysWOW64\Jgqfbo32.dll	Ljoiibbm.exe
File created	C:\Windows\SysWOW64\Hgbhfhcl.dll	Hjlaoioh.exe
File opened for modification	C:\Windows\SysWOW64\Belemd32.exe	Bkadoo32.exe
File created	C:\Windows\SysWOW64\Beefhclj.dll	Ehkcgkdj.exe
File created	C:\Windows\SysWOW64\Bgeadjai.exe	Agcdnjcl.exe
File created	C:\Windows\SysWOW64\Mdkabmjf.exe	Gcngafol.exe
File created	C:\Windows\SysWOW64\Dndlba32.exe	Cebdcmhh.exe
File created	C:\Windows\SysWOW64\Bkadoo32.exe	Abbiej32.exe
File created	C:\Windows\SysWOW64\Hfniikha.exe	Gcmpgpkp.exe
File created	C:\Windows\SysWOW64\Hohjgpmo.exe	Hjlaoioh.exe
File created	C:\Windows\SysWOW64\Lmhhbnla.dll	Belemd32.exe
File created	C:\Windows\SysWOW64\Eifffoob.exe	Dojlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fibfbm32.exe	Eoladdeo.exe
File created	C:\Windows\SysWOW64\Dioiki32.exe	Dbbdip32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjcne32.exe	Nmpkakak.exe
File created	C:\Windows\SysWOW64\Eoladdeo.exe	Eedmlo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkebee32.exe	Mgngih32.exe
File opened for modification	C:\Windows\SysWOW64\Oakjnnap.exe	Oogdfc32.exe
File created	C:\Windows\SysWOW64\Ndjcne32.exe	Nmpkakak.exe
File created	C:\Windows\SysWOW64\Fnknkkci.dll	Nkdlkope.exe
File opened for modification	C:\Windows\SysWOW64\Dojlhg32.exe	Dbckcf32.exe
File opened for modification	C:\Windows\SysWOW64\Eoladdeo.exe	Eedmlo32.exe
File created	C:\Windows\SysWOW64\Nmpkakak.exe	Njmejp32.exe
File opened for modification	C:\Windows\SysWOW64\Njmejp32.exe	Mpqklh32.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Dalkek32.exe
File created	C:\Windows\SysWOW64\Qbaqaamj.dll	Mdkabmjf.exe
File created	C:\Windows\SysWOW64\Pnkehf32.dll	Dbckcf32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5180 4168 WerFault.exe Eldlhckj.exe

pid	pid_target	process	target process
5180	4168	WerFault.exe	Eldlhckj.exe

Modifies registry class 64 IoCs

Processes:

Eohhie32.exeGgfobofl.exeGcmpgpkp.exeLjoiibbm.exeBelemd32.exePkonbamc.exeCejaobel.exeImjgbb32.exeMdkabmjf.exeOakjnnap.exeAbbiej32.exeGedfblql.exeGheodg32.exeKggjghkd.exeAaofedkl.exeNkebee32.exeHqjcgbbo.exeDojlhg32.exePnhacn32.exeHfniikha.exeHjlaoioh.exeIoppho32.exeIiaggc32.exeOogdfc32.exeAgcdnjcl.exeOgjpld32.exeEoekde32.exe2304749f98d01d72c6b0fde173e1784c.exePdofpb32.exeDndlba32.exeHohjgpmo.exeIgkadlcd.exeMpqklh32.exeGcngafol.exeNkdlkope.exeBgeadjai.exePjjaci32.exeHhckeeam.exeCebdcmhh.exeEedmlo32.exeDioiki32.exeDbbdip32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eohhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggfobofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcmpgpkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljoiibbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhhbnla.dll"	Belemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkonbamc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belemd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cejaobel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imjgbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbaqaamj.dll"	Mdkabmjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oakjnnap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldacnaoi.dll"	Pkonbamc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abbiej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gedfblql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlccpl32.dll"	Gheodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kggjghkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnieaef.dll"	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkebee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfebnlgm.dll"	Hqjcgbbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkjpdog.dll"	Dojlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oakjnnap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnhacn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfniikha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjlaoioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cngjjm32.dll"	Ioppho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdohcjh.dll"	Iiaggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oogdfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgokfblh.dll"	Cejaobel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqjcgbbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioppho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piffmfnj.dll"	Ogjpld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoekde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gheodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2304749f98d01d72c6b0fde173e1784c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfniikha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflodqh.dll"	Dndlba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gedfblql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogjpld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdaao32.dll"	Hohjgpmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickihp32.dll"	Igkadlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll"	Mpqklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcngafol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkmpjb32.dll"	Eoekde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknkkci.dll"	Nkdlkope.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogjpld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgeadjai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjaci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkabmjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhckeeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibdpo32.dll"	Cebdcmhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eedmlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igkadlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kggjghkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dioiki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkabmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnlgdfg.dll"	Hfniikha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpjjnpk.dll"	Eedmlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoekde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjlaoioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcngafol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2304749f98d01d72c6b0fde173e1784c.exeGcngafol.exeMdkabmjf.exeMgngih32.exeNkebee32.exeNemchn32.exeOogdfc32.exeOakjnnap.exeOgjpld32.exePnhacn32.exePkonbamc.exeQnpgdmjd.exeAbbiej32.exeBkadoo32.exeBelemd32.exeBkhjpn32.exeCejaobel.exeDbckcf32.exeDojlhg32.exeEifffoob.exeEhkcgkdj.exeEoekde32.exe

description	pid	process	target process
PID 956 wrote to memory of 4408	956	2304749f98d01d72c6b0fde173e1784c.exe	Gcngafol.exe
PID 956 wrote to memory of 4408	956	2304749f98d01d72c6b0fde173e1784c.exe	Gcngafol.exe
PID 956 wrote to memory of 4408	956	2304749f98d01d72c6b0fde173e1784c.exe	Gcngafol.exe
PID 4408 wrote to memory of 2788	4408	Gcngafol.exe	Mdkabmjf.exe
PID 4408 wrote to memory of 2788	4408	Gcngafol.exe	Mdkabmjf.exe
PID 4408 wrote to memory of 2788	4408	Gcngafol.exe	Mdkabmjf.exe
PID 2788 wrote to memory of 388	2788	Mdkabmjf.exe	Mgngih32.exe
PID 2788 wrote to memory of 388	2788	Mdkabmjf.exe	Mgngih32.exe
PID 2788 wrote to memory of 388	2788	Mdkabmjf.exe	Mgngih32.exe
PID 388 wrote to memory of 2428	388	Mgngih32.exe	Nkebee32.exe
PID 388 wrote to memory of 2428	388	Mgngih32.exe	Nkebee32.exe
PID 388 wrote to memory of 2428	388	Mgngih32.exe	Nkebee32.exe
PID 2428 wrote to memory of 1916	2428	Nkebee32.exe	Nemchn32.exe
PID 2428 wrote to memory of 1916	2428	Nkebee32.exe	Nemchn32.exe
PID 2428 wrote to memory of 1916	2428	Nkebee32.exe	Nemchn32.exe
PID 1916 wrote to memory of 408	1916	Nemchn32.exe	Oogdfc32.exe
PID 1916 wrote to memory of 408	1916	Nemchn32.exe	Oogdfc32.exe
PID 1916 wrote to memory of 408	1916	Nemchn32.exe	Oogdfc32.exe
PID 408 wrote to memory of 1672	408	Oogdfc32.exe	Oakjnnap.exe
PID 408 wrote to memory of 1672	408	Oogdfc32.exe	Oakjnnap.exe
PID 408 wrote to memory of 1672	408	Oogdfc32.exe	Oakjnnap.exe
PID 1672 wrote to memory of 1840	1672	Oakjnnap.exe	Ogjpld32.exe
PID 1672 wrote to memory of 1840	1672	Oakjnnap.exe	Ogjpld32.exe
PID 1672 wrote to memory of 1840	1672	Oakjnnap.exe	Ogjpld32.exe
PID 1840 wrote to memory of 4648	1840	Ogjpld32.exe	Pnhacn32.exe
PID 1840 wrote to memory of 4648	1840	Ogjpld32.exe	Pnhacn32.exe
PID 1840 wrote to memory of 4648	1840	Ogjpld32.exe	Pnhacn32.exe
PID 4648 wrote to memory of 2544	4648	Pnhacn32.exe	Pkonbamc.exe
PID 4648 wrote to memory of 2544	4648	Pnhacn32.exe	Pkonbamc.exe
PID 4648 wrote to memory of 2544	4648	Pnhacn32.exe	Pkonbamc.exe
PID 2544 wrote to memory of 2440	2544	Pkonbamc.exe	Qnpgdmjd.exe
PID 2544 wrote to memory of 2440	2544	Pkonbamc.exe	Qnpgdmjd.exe
PID 2544 wrote to memory of 2440	2544	Pkonbamc.exe	Qnpgdmjd.exe
PID 2440 wrote to memory of 2724	2440	Qnpgdmjd.exe	Abbiej32.exe
PID 2440 wrote to memory of 2724	2440	Qnpgdmjd.exe	Abbiej32.exe
PID 2440 wrote to memory of 2724	2440	Qnpgdmjd.exe	Abbiej32.exe
PID 2724 wrote to memory of 2884	2724	Abbiej32.exe	Bkadoo32.exe
PID 2724 wrote to memory of 2884	2724	Abbiej32.exe	Bkadoo32.exe
PID 2724 wrote to memory of 2884	2724	Abbiej32.exe	Bkadoo32.exe
PID 2884 wrote to memory of 3948	2884	Bkadoo32.exe	Belemd32.exe
PID 2884 wrote to memory of 3948	2884	Bkadoo32.exe	Belemd32.exe
PID 2884 wrote to memory of 3948	2884	Bkadoo32.exe	Belemd32.exe
PID 3948 wrote to memory of 908	3948	Belemd32.exe	Bkhjpn32.exe
PID 3948 wrote to memory of 908	3948	Belemd32.exe	Bkhjpn32.exe
PID 3948 wrote to memory of 908	3948	Belemd32.exe	Bkhjpn32.exe
PID 908 wrote to memory of 792	908	Bkhjpn32.exe	Cejaobel.exe
PID 908 wrote to memory of 792	908	Bkhjpn32.exe	Cejaobel.exe
PID 908 wrote to memory of 792	908	Bkhjpn32.exe	Cejaobel.exe
PID 792 wrote to memory of 1420	792	Cejaobel.exe	Dbckcf32.exe
PID 792 wrote to memory of 1420	792	Cejaobel.exe	Dbckcf32.exe
PID 792 wrote to memory of 1420	792	Cejaobel.exe	Dbckcf32.exe
PID 1420 wrote to memory of 3548	1420	Dbckcf32.exe	Dojlhg32.exe
PID 1420 wrote to memory of 3548	1420	Dbckcf32.exe	Dojlhg32.exe
PID 1420 wrote to memory of 3548	1420	Dbckcf32.exe	Dojlhg32.exe
PID 3548 wrote to memory of 1692	3548	Dojlhg32.exe	Eifffoob.exe
PID 3548 wrote to memory of 1692	3548	Dojlhg32.exe	Eifffoob.exe
PID 3548 wrote to memory of 1692	3548	Dojlhg32.exe	Eifffoob.exe
PID 1692 wrote to memory of 456	1692	Eifffoob.exe	Ehkcgkdj.exe
PID 1692 wrote to memory of 456	1692	Eifffoob.exe	Ehkcgkdj.exe
PID 1692 wrote to memory of 456	1692	Eifffoob.exe	Ehkcgkdj.exe
PID 456 wrote to memory of 4616	456	Ehkcgkdj.exe	Eoekde32.exe
PID 456 wrote to memory of 4616	456	Ehkcgkdj.exe	Eoekde32.exe
PID 456 wrote to memory of 4616	456	Ehkcgkdj.exe	Eoekde32.exe
PID 4616 wrote to memory of 1912	4616	Eoekde32.exe	Eohhie32.exe

C:\Users\Admin\AppData\Local\Temp\2304749f98d01d72c6b0fde173e1784c.exe
"C:\Users\Admin\AppData\Local\Temp\2304749f98d01d72c6b0fde173e1784c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\Gcngafol.exe
  C:\Windows\system32\Gcngafol.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\Mdkabmjf.exe
    C:\Windows\system32\Mdkabmjf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Mgngih32.exe
      C:\Windows\system32\Mgngih32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\SysWOW64\Nkebee32.exe
        
        C:\Windows\system32\Nkebee32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\Nemchn32.exe
        
        C:\Windows\system32\Nemchn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Oogdfc32.exe
        
        C:\Windows\system32\Oogdfc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ogjpld32.exe
        
        C:\Windows\system32\Ogjpld32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Pkonbamc.exe
        
        C:\Windows\system32\Pkonbamc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Qnpgdmjd.exe
        
        C:\Windows\system32\Qnpgdmjd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Abbiej32.exe
        
        C:\Windows\system32\Abbiej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Bkadoo32.exe
        
        C:\Windows\system32\Bkadoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Belemd32.exe
        
        C:\Windows\system32\Belemd32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Bkhjpn32.exe
        
        C:\Windows\system32\Bkhjpn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Cejaobel.exe
        
        C:\Windows\system32\Cejaobel.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Dojlhg32.exe
        
        C:\Windows\system32\Dojlhg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Eifffoob.exe
        
        C:\Windows\system32\Eifffoob.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ehkcgkdj.exe
        
        C:\Windows\system32\Ehkcgkdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Eoekde32.exe
        
        C:\Windows\system32\Eoekde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Eohhie32.exe
        
        C:\Windows\system32\Eohhie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Eedmlo32.exe
        
        C:\Windows\system32\Eedmlo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Eoladdeo.exe
        
        C:\Windows\system32\Eoladdeo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Fibfbm32.exe
        
        C:\Windows\system32\Fibfbm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Foonjd32.exe
        
        C:\Windows\system32\Foonjd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Fofdkcmd.exe
        
        C:\Windows\system32\Fofdkcmd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Gedfblql.exe
        
        C:\Windows\system32\Gedfblql.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ggfobofl.exe
        
        C:\Windows\system32\Ggfobofl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Gcmpgpkp.exe
        
        C:\Windows\system32\Gcmpgpkp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Hfniikha.exe
        
        C:\Windows\system32\Hfniikha.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Hohjgpmo.exe
        
        C:\Windows\system32\Hohjgpmo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Hhckeeam.exe
        
        C:\Windows\system32\Hhckeeam.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Hqjcgbbo.exe
        
        C:\Windows\system32\Hqjcgbbo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ioppho32.exe
        
        C:\Windows\system32\Ioppho32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Iqaiga32.exe
        
        C:\Windows\system32\Iqaiga32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Imhjlb32.exe
        
        C:\Windows\system32\Imhjlb32.exe
        42⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Icbbimih.exe
        
        C:\Windows\system32\Icbbimih.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Imjgbb32.exe
        
        C:\Windows\system32\Imjgbb32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ioicnn32.exe
        
        C:\Windows\system32\Ioicnn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Iiaggc32.exe
        
        C:\Windows\system32\Iiaggc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Kjlcmdbb.exe
        
        C:\Windows\system32\Kjlcmdbb.exe
        47⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Kggjghkd.exe
        
        C:\Windows\system32\Kggjghkd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Ljoiibbm.exe
        
        C:\Windows\system32\Ljoiibbm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Mpqklh32.exe
        
        C:\Windows\system32\Mpqklh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Nmpkakak.exe
        
        C:\Windows\system32\Nmpkakak.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Ndjcne32.exe
        
        C:\Windows\system32\Ndjcne32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Qjcdih32.exe
        
        C:\Windows\system32\Qjcdih32.exe
        59⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Bgeadjai.exe
        
        C:\Windows\system32\Bgeadjai.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Dioiki32.exe
        
        C:\Windows\system32\Dioiki32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        68⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 412
        69⤵
        Program crash
        
        PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4168 -ip 4168
1⤵
PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbiej32.exe

Filesize
128KB

MD5
441711a5ceccb230fea54417ae11b1c3

SHA1
40ba2f4022ea4df8fc49635e3e7bf0ece4bb007b

SHA256
4283d044ef65e8f9d4b060b231218fd7a3f2441b77c620827507a458cf5c4eca

SHA512
c0377e6494436643d0957dd65fd93f2badefdf55eb0ab04b2e9508c3a78b7c45244e45365d368ad4b30e8523b2b94aa26e3c7abe18ddd806838285cf52fec6c8

Download Submit
C:\Windows\SysWOW64\Belemd32.exe

Filesize
128KB

MD5
cf653644d4d665fbb1f1b95f6b20c2b0

SHA1
b53c458f357320cb2738a83cb793538631e47a48

SHA256
17d774dfedd44c7e7322d8c64516c933a2a8acb09af380d43fa21cb149a87f66

SHA512
41c135148b510966ec10d35ffb8459861bde45169b54289a1d474efbfc9c781b938c7ac85c0ef7534e76db1af9d94ebbee92b814d4c9670e43e66fbe14621393

Download Submit
C:\Windows\SysWOW64\Bgeadjai.exe

Filesize
128KB

MD5
1d9c20668b39d77e0f5a79a0bcd068e7

SHA1
a85c5e8b23c33c141b93210aec95d5a543b8b23a

SHA256
4584f717c9e96037a44f5a3479d74d4d0c9caf326263c759aa8df40b574ff4b6

SHA512
f1075b227b042c6b6ae279adcf8e2ffdeff1f249952df4d6912b60a996ace2c1fee43a688260f8388ca86b4076e077d181d5c50e2e6186548948625f340b22d1

Download Submit
C:\Windows\SysWOW64\Bkadoo32.exe

Filesize
128KB

MD5
06de124e6392a7db6220d5a4c9b57f4d

SHA1
b2bad314c1b7021c8edbb2e1a23b5ebbdfbb2e19

SHA256
9119ec30d2a036bdf2c6b9d4e857be412a4cd3cbc86cd68f136536214ccc2cd5

SHA512
0081f364cc48091682834d80e9660687aa80626c74564026c2437fd944d24e6a214bd53da841139c042117cfcbd6571c454f7ab1c71cef28b67434dc8d9cc9db

Download Submit
C:\Windows\SysWOW64\Bkadoo32.exe

Filesize
128KB

MD5
52dd84d9a9c90790fe926b30e7bae5d7

SHA1
09ed3283b7067566695e3bf479fc33c4062913f2

SHA256
429928200eb47c4bf935bc1af2bc8ad9606d0bf83d14d55ed2643a6babf4c608

SHA512
0bdc8853416b25ec566ae35e28380591f4dff3c24c40afeb5f831fa286124477f6b4e4d4d9380e6f2caab700df5ea8076b8329e72785a7fa700227d138f77116

Download Submit
C:\Windows\SysWOW64\Bkhjpn32.exe

Filesize
128KB

MD5
6c4e1c3d28e48fa09e989f24e036aee2

SHA1
bcf98b0831c504ebd4825380a1f2704702a4588b

SHA256
5ae5c1474b803f3b0684940082ff23d4cda908112df5bedbc380bf600494fe77

SHA512
9690c62354f780f4290df49bb5e723e7271172d492b66e600b7fbc5d90fe1ea14a154828c53d9648a0a22608183b59220f86cac957a71afe514d480b7bb259e5

Download Submit
C:\Windows\SysWOW64\Cejaobel.exe

Filesize
128KB

MD5
d45be9225cc594f7befec6855b8e9dbe

SHA1
466b5c1d549804f802b9a1a64b8c644ed0383a76

SHA256
fd85ea781309459a9ab6d06277f60a17e0b3e54420467b945f2d37de96ece1b0

SHA512
4041470b5f640ce3adc1eb5c14b1fa704dceb144b3dc063bea250c0f97511c69867bf0ac3a63e918ae4befd80db98b7e3d3f76e34399a3108a966b8fb9532b32

Download Submit
C:\Windows\SysWOW64\Dbckcf32.exe

Filesize
128KB

MD5
2b3d146c5f4435b9feab823aed46d9fa

SHA1
1e36c6c145ac96e8819228bc1145418f0753dd27

SHA256
4612ca4f68c13f83eb64ff6932991bb591728e14c1c36b73feac10b684317b73

SHA512
58bb6f0a89d122e6e9514e1b213871767936e14b1a4067a8ea6597e97b2b67329d67bdfc07a5a78f9edac2c9043bdb4866fe3a29ef70b1aad7701aa7fa7affb6

Download Submit
C:\Windows\SysWOW64\Dojlhg32.exe

Filesize
128KB

MD5
a61ed3fa4aeb4def0988b4339c1d2c5a

SHA1
09d85017b60568a697943c0df9f50b2c21db3083

SHA256
0aaa25d3a1785fb08bd75709ebc267f643fda9825fab4c1cc650459d9c373f5f

SHA512
06bc2a246ed67a35800930f66f8b42197166ec1cb97ca9917e17cef82e0cb9ceced2264ab16e84d3320f992f66195dbafc0bc4235b80781882272355bd19f2d0

Download Submit
C:\Windows\SysWOW64\Dojlhg32.exe

Filesize
128KB

MD5
768527b564a6ad9eed150c991f61ccf4

SHA1
473243daae67bc34d15b72cf22cdb85285308a53

SHA256
4d9a2148f16374a4c4b8db92d57decfb547cf1a61bfbb9751bd8a5386cfe14b8

SHA512
77268903e59b3b994b4aff27d6a9f23bbe180fc65740dcff75ee0348390e841816108f171300e32bc0640e528bdf00f4449b40ff27975daa9b57556836ee0432

Download Submit
C:\Windows\SysWOW64\Ecgjjo32.dll

Filesize
7KB

MD5
692f6111ef8f1861463c177083fac68e

SHA1
69e539fcb37df9521d53a00451b256ef60223925

SHA256
b31346d69f87b28cc658049bb76f60f235c5ee52f5ba4572e7a60c62ff41cda5

SHA512
f9a772e528f13dc4222b477cd7cab7ee8b3a52e3ef5e04bdf29b918a18eb9aa113f4c657cbbd43f918a931d4fa750a54782ea6f4113775cfe57158c1f9bd3861

Download Submit
C:\Windows\SysWOW64\Eedmlo32.exe

Filesize
128KB

MD5
dc0e65b6b2c88fa4b85093027656ef66

SHA1
06f9f39f5cf742699ed97bda84176aea7ca0e2ca

SHA256
446055dda971b26085f897af3592e538faad981f86d61c250890fa69740aa968

SHA512
cf57203cfac8d24837edb90a2fbdc28297fc0c3f2779d38f592ffe32a6e748f8e3f10193dc8e2f4ef124c7fe597a04f3de368b33ea4d99bf144b691470959889

Download Submit
C:\Windows\SysWOW64\Ehkcgkdj.exe

Filesize
128KB

MD5
008006080204006efc8c55b021a90186

SHA1
65445b33fdc659120535c0bcb68b47416f099530

SHA256
6945d35b06c1638b614a9940b9b00e55c3f366448329156aaa34d3a1bdda9102

SHA512
e75cd76cb831933ed1f4cfda696a82f2b45d69013244431baae77e9839a2b18eb8b339e45262610efa99c23aa90a5dadadd89aeaff2f27ec9b2c71d435c60863

Download Submit
C:\Windows\SysWOW64\Eifffoob.exe

Filesize
128KB

MD5
69000e22a2b065b39463c53998dd2a71

SHA1
1266a939867d330d6b1fb5838e5ad1d8879c6de6

SHA256
b570ec2ea7bd6134afabc4e137a9fdf15b75b1d141a0fdee144dbf2f1beb8443

SHA512
3596b68841339034a4eca0508a51359658e9006d812dfdeeb24f7cab1a247311254bff065dc95be8d9c83c141763ebf14d9c8c7f176a166b5eba51cec989a757

Download Submit
C:\Windows\SysWOW64\Eoekde32.exe

Filesize
128KB

MD5
98407e6e5ee86c0d659ffed31f670196

SHA1
676f209fa1358b664c163462cabb134f20034514

SHA256
948e0564e84be3908c55b91fe30b68ab5ebd9bcd4702534cab4d2b596e9a7fa7

SHA512
cd8e509686003ccc6ca2c900a794338fe93a89da835a8bfe7e17448203329d5406c6a9000adde98261b85713f0d337aa3c1c7c9cdfaf87adf6487490b6109620

Download Submit
C:\Windows\SysWOW64\Eohhie32.exe

Filesize
128KB

MD5
202dba4ee0c662ce1b049560de806d4c

SHA1
e3f03df96421cd3a69a50fef0f856fde29543393

SHA256
5172690c287b86f07d8999d8096ae069ba5d14dc5517d13106e134cb32d6ba57

SHA512
395434bf474ae344ed650fde0d0166c82e69b37f627ebf3a628f18b35e0b59e85ee482b02dab4ec7a759eb7dce05d8f6a603999d83c4177dc163637686c7e9ef

Download Submit
C:\Windows\SysWOW64\Eoladdeo.exe

Filesize
128KB

MD5
fa8b5918df9589fd8d868f332ad8203a

SHA1
5f93f4f44f735d9ddf07d9606f3007e770ac9207

SHA256
cfea6c8fa6a6de397f87ae0b2f7a9a74297488061cd15e50269f9212bf5c0fd0

SHA512
222d55b679932267273a63c57fac7d9522a07acabf393d5573254b72bc0f068ead744ebc55b97985105168fbd7118d428eea99005baa1f440131e32eed1e0f65

Download Submit
C:\Windows\SysWOW64\Eoladdeo.exe

Filesize
128KB

MD5
e53b7c1e5e31ef7ed6d237a365269be8

SHA1
c24b1c295c211eb0a2fd92ff6745a55226225c8f

SHA256
07427a54f23dd5f58b91562dfeceded49a86715fc5928be8b099c2c610c2caba

SHA512
1574c56d5164ea5290ffd20adf3a64e47145799a7eafd656a2353cc3d17cbb825b453267d0b66e91d3ce863e1c91dab9975990b7f67c181c007ec01d76068690

Download Submit
C:\Windows\SysWOW64\Fibfbm32.exe

Filesize
128KB

MD5
09db9bc02509108cbe549e7bf5e37712

SHA1
bcfcb519222b4c3cfbcdeaaa6887a664c71a9a03

SHA256
957eb9c894d2b0578881ab69eb5e0da68f8b2e870aed479e83b9f64e3167b718

SHA512
7d3055da74f277785f5ddeb58369adb2fc690260be72fa79380334eec258a201ab0f1332f760822ffecaa126a4d61f219e1769a8f880348a830c5224b9adeed7

Download Submit
C:\Windows\SysWOW64\Fofdkcmd.exe

Filesize
128KB

MD5
ba33f3f5e0bd0769b356ea062750c056

SHA1
65a5ca16663c1d44dc6441106b8951b7e04cdae8

SHA256
748ffac92a07ce845bcaa43985f9baa91a904d0cc088aa4e1986a2fe081c793d

SHA512
a2fcac2303d94edc2ea5a42e834b4e3ae1d9fbeaa306ffa18d7e554d289eb35c2c16e9282f0c430bfeae9928cd2d85e2ceed715275807c85ae8b38b9a3ed7c7e

Download Submit
C:\Windows\SysWOW64\Foonjd32.exe

Filesize
128KB

MD5
63897bd78364510c6deec26fe23015c3

SHA1
e5a73868185fb767ef46c2117f41b8e426009eeb

SHA256
e49722847ad298ef15e9bb92ddeba33313f64cb4e98246cf23b09bcc21a7926f

SHA512
dad5b6175fc53ab589060f946257bc1475614aa529501d172c528f4a2974ccb99b4374e82780fd3986e9bd20b492db706d791537441876a2e6a164e791d3848f

Download Submit
C:\Windows\SysWOW64\Fpnkdfko.exe

Filesize
128KB

MD5
c88b38945f49b85886f149ccc7d2dbd3

SHA1
c870183a69c2b8a7c01ed0e96f50123fdd08073c

SHA256
169862c1ad7ff63bfd245c72bbf0a12ecca65dca05490b74a4e610ff20113295

SHA512
e9fe8bd3663575040aa01dff0578db0797f473728827b4758c7e4d54dee276d5f7787f973eeb76b48512328560603fac7ad73c317ac6917406454c07da34f7ca

Download Submit
C:\Windows\SysWOW64\Gcmpgpkp.exe

Filesize
128KB

MD5
b5a52d23546710ad78a12730abfb2acf

SHA1
45c19668761a790e403dc1b4dd77156ad958b489

SHA256
7d0130a06305da4abbb68087f60a107c0b90aee559d85602070c29c266dce925

SHA512
bc41be75ab3d875ba91bb820e45aabb991a703754d8fcbb2c18e5c19ed5e02c48f4cc13f97af05f3048a734eb0506f03d2d978d23db525cac2fadaa42dd85e98

Download Submit
C:\Windows\SysWOW64\Gcngafol.exe

Filesize
128KB

MD5
47f5e39f1a17330d6eb781d448bdbae5

SHA1
244b33ee81556d420045671855bac43eefa1f7a9

SHA256
52434e14a5b5783454f14954bcaecc9a22bbfda1c8a40b623a01691e8cbee59b

SHA512
d2908313b60ca3d2e53acb1dae14c5d3b6f38768baf034e305faad17b00709961cce36fe9d46fc6abf2f252afac7ccfd7f46e8d90cd750f88f61562d6c8ee53b

Download Submit
C:\Windows\SysWOW64\Gedfblql.exe

Filesize
128KB

MD5
6d4c1aa6c9143ca1d1bff8de48aa96ba

SHA1
ceb4b7913c7ca4c08ddb9cc698eb54d4efdba378

SHA256
a99ca5d171c92b3b73a29e82ca81abf433cc8864ebf7fb3ab0e18cd89c88b0b9

SHA512
11e628d9163cf66db5fa77e5c62759294bbc12068f1ceb96cee8d8e35f7082e0e97f419ad0986c0f58ef4110fdb500081d8650a7d620b238c4498235359562c4

Download Submit
C:\Windows\SysWOW64\Ggfobofl.exe

Filesize
128KB

MD5
07566bd99b25d43b76bd99e49ff33b7b

SHA1
6f0bee41a7d4ea00cc1c0e99b8ffe00773796024

SHA256
8c000784b0f2c67b78908a827fabd370ab32180b08d51f4ce624ce3bcb40df21

SHA512
30d864b09b1482e91bb7701c30f2d1fc039cb53057a459bad717e83459070708bfddfb3ea53fbee334e98d142de58face8fe2cdc396926bd861fa1c535ff2ad7

Download Submit
C:\Windows\SysWOW64\Gheodg32.exe

Filesize
128KB

MD5
1e255fee24c1858f06df542be417d63e

SHA1
e31724ee1ae9c53a8c76713d371cd7b58f579769

SHA256
9bb17dd44a774334f029648798bdf443f4d66285ff3d9b0356a81be5e1f3e86f

SHA512
08d95808160730401af23bf6467562eff5f69a8f830e8325cff28841b297dfc41a4999a59ab97b73a914399afa3365921c07b771737927fbacd5d6bc8431ea4d

Download Submit
C:\Windows\SysWOW64\Hfniikha.exe

Filesize
128KB

MD5
7ac34615b587bf897b904826c32d3653

SHA1
34e932ff5b7a9995888c896cc6cbf9a04d816ea0

SHA256
f193ebb6c41b34b47cc396f22308920ddfc55e5481a395510e9ba2613d7ec730

SHA512
40bb03771f27e12000c7c8e6972fea8d46a02e9dfd2c93d0e64e3fe90e67dc4eebf0b38e94926859c3e520746e1640be14deaca8d72922abb036fe6b9981687f

Download Submit
C:\Windows\SysWOW64\Hohjgpmo.exe

Filesize
128KB

MD5
e05c980ecc56c9620592e523f2b38252

SHA1
ca6b97a4dfb188893260b0b9dd611cf252c37caf

SHA256
f2c7855c64ad5d29744ca6e6ef6290e5688ebfffcea6d7551dd9cc78e2025bbf

SHA512
a0bb788135cf78b0372358bf370d02fc0f9badb6e15a8007492c9cefee2906adfb4c8cb192dbdde955cf2baa314f328e42345a8d7fc0388c065a3d44d9e5dbca

Download Submit
C:\Windows\SysWOW64\Hqjcgbbo.exe

Filesize
128KB

MD5
0d2de05ca605dbaffdc91af420c509f6

SHA1
d9df8cb66a558a781897fc639b145a35b7ec6671

SHA256
e6f0f9ba26608df29a9eeb2aa298c6440c6ad3e85e80bfd467c165f69bd81c2d

SHA512
46aa9606fa0766d2f6c4eca1f0ef818945d80d0b1157473241666664124b71c5a3782c1fb357a95c732afc4f02e104e336c45a351434a0bce2550ad6430cd45d

Download Submit
C:\Windows\SysWOW64\Igkadlcd.exe

Filesize
128KB

MD5
aff6296069e356d192e240c0d8c8b1a7

SHA1
b655e83877caf9cc7ebeea5d496262de022ea47f

SHA256
a9e57dd00bd7d687af1cb41c4d810b89e2c76ed3bdb93e178ea1274f3aaaf678

SHA512
10059b21418a550f155e8ed7520738f11b29250cccbcdbbdf9dd69502dc701cf5f74e5de968ebc1bfb627d4cf0b8bb5bd9439edc5ef42403cb2b323101c7b828

Download Submit
C:\Windows\SysWOW64\Iiaggc32.exe

Filesize
128KB

MD5
0201cb3a815492043f6d4d36098eb53a

SHA1
23ea1362afdcece4efbd3d21a3ea9ff53e587c68

SHA256
a2d9a8fe0e7cd4d80d5a5e0dd05a07f9a75363d1a3b1d3972661a4048d02273e

SHA512
1e4e86b621f5e274f597ed102484821c8146b3bb9f044b8b07942bb5127026c6e62d2abf592ea363f548d6a3ae33210fab6dd3dce4485e13caa4008c4baa845c

Download Submit
C:\Windows\SysWOW64\Imjgbb32.exe

Filesize
128KB

MD5
488b37e1cce7e977a4fa42870776078c

SHA1
1e87a6806256dab07583390d55fd77da42a3c51f

SHA256
fe1ed20dee70f7524cb9924aeb5f5e119419826ef6ccb21bab3a4d978cd6c164

SHA512
7bd86cd978f4fac5b517807a47f9d8615d38d1ebe2907ed44e71877093492197fa3525c70dd55b7e5aec02e902f3e5ab6b4c32601cd1d38108a44df76b73245e

Download Submit
C:\Windows\SysWOW64\Mdkabmjf.exe

Filesize
128KB

MD5
0994c750b1c2e2744c5f27819d8f53d1

SHA1
c951ce355ec79cbc359dc2ec93dc565853673a81

SHA256
a7434d0101d8018d59c06571bc13e434ba33e23e1bb04fcfd5454f42d67907a6

SHA512
0b6066decd2cae480108802b1b6f12f0eb6a3635c160eba144f92fe998e64baabf17720c51f82e37e21fb87679102345984ae0dc2c79d2c633b92e41ef2efc01

Download Submit
C:\Windows\SysWOW64\Mgngih32.exe

Filesize
128KB

MD5
b0af1432c5959501caf1bcc0a6332530

SHA1
439a11f12f793e41c4e53a0eee1a333eba25cdb8

SHA256
6ea67cd4d2d5ceafda38bdde2985d39c93fb61f45f8bc6e385ffc58e0f0bfde2

SHA512
94a9cb33105f408491d325a3f8f4a554ae21a58a5b226cbfb647d58ac0129257da8aa5e5caf19fcd105511ed560731ed5ecae2b2eb30c09f5b3263a8f1f50620

Download Submit
C:\Windows\SysWOW64\Mpqklh32.exe

Filesize
128KB

MD5
dc6ae7704fd612732a20eb3548ce6335

SHA1
e11a2828956f788cd92dc568f28ef04382d608ab

SHA256
98e75580f643c1120dfa7b88a3054c699696939aaa0c57a6a76871894178e87a

SHA512
3d1ad8ba62fe89603660af74d47c3ee1f0a7aface1f5b93fb7eba3e87f09b7fd7e507379f65d6649e80c60983dbc397c852a9ccfed12f37fb736a1ad2bb2e83e

Download Submit
C:\Windows\SysWOW64\Nemchn32.exe

Filesize
128KB

MD5
ddf2daedfda562f9648cdc5b9fa77c1e

SHA1
89075fe752792c8f4f717ab59edbc90e17ad24ce

SHA256
99ca3a136600eb0add44cd2cc4beef8e97250d45b53e139e68ad7a68d2a21735

SHA512
aa728bc3c818eca406f751f818d24e27f8c1eaf55d4454ab997f382e6d30b332b09ba6040a3680f1c87b431d0fa2d66c48fa1f5e596381a39ac263716e04f6e4

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
128KB

MD5
19012c81ca74519320b867c9178066e5

SHA1
841fa023c5ec047d27944069cfbbce912bf3ad3e

SHA256
3556a47aab91a6f9fe399362b47ea590dc642e47e389a65dfc3f7d631daa65f7

SHA512
ffb3445c5e4d7522e96845483a9fbcfee2aab305659d073f74e6f395ad5973d7be71a6cfcddbcd88ecf0bb4316013bbe28581e911b95e524788a3ef901824120

Download Submit
C:\Windows\SysWOW64\Nkebee32.exe

Filesize
128KB

MD5
5ea1413a0be4736300954f5a000d6e4e

SHA1
e939a3364ed6d013c27351cbe362eb065d04ca39

SHA256
53e8586ced5b3b5fa15dd8e3568cd437660a272bc241ec473ce293b9a52e8052

SHA512
f43d6200e31982fbfb9310c00d855e2dfe73b16bd8115b755e7119f648e9ac696dee1f0bc69581a7cb9b3c005f158d5c39d5544682f86719fa9542b1435e555f

Download Submit
C:\Windows\SysWOW64\Oakjnnap.exe

Filesize
128KB

MD5
2692aecd6329f92c4f7e4871446d9fec

SHA1
bc028966608d127523d4d44f74b0a3f84f867f00

SHA256
4759dbe3de66fb8a3f8f6c613d7cdda295f15d0acc24f3e98fae788af4f92aba

SHA512
985be4ce79a59c05eca77637f1fe8a4c1446e349a23305cbb6d5eb12baa44c2828085d535c6d886e2a88560423402a4df2fa9cbf40c041689b6a332b29711dd9

Download Submit
C:\Windows\SysWOW64\Ogjpld32.exe

Filesize
128KB

MD5
d7e97228b78b5b20e76ba6609bb764ad

SHA1
443a2852e858505c7d1b2df2ff1de7a3118d6372

SHA256
4ca75eb8c19f76965e4a9523c4648d6bdce4af502e64142d778363591e85e4ce

SHA512
3dc8a9aa4c2d312212f673b0d977f7cb8e8b2c2fa8cb252ec3a4474d88b0767b589646bc9180fa1d175f9772c01892173c6e904374006e9b4cdb27649d0c9012

Download Submit
C:\Windows\SysWOW64\Ogjpld32.exe

Filesize
128KB

MD5
6f5c2a19888a6b190ea1f561bbae93b2

SHA1
3b38e6174e2aa76eecd6c7a426dbce2284cc93e0

SHA256
209fd9f60942ae353f9c169437948bee366ac9ee2d2b3d420cdeb9a8035238c4

SHA512
7b4c899297ce5773a7e8ef3ac30f2d2a73b3c28ccd4db6ca022c821fcb27ae6f913b93c52c04062f6337097245e37a71aefef4e4a4d84af5062ff9941a76bd4d

Download Submit
C:\Windows\SysWOW64\Oogdfc32.exe

Filesize
128KB

MD5
c23b603a40ed630966c3ef1834a53a8b

SHA1
fd7b01839f60573a937b6527001d568089c3d37e

SHA256
3a1a41b8a53ea31aedc7c61522d42f7f241598b5a2fa2397ae1d505dacfffafe

SHA512
296951280457b1962d28a93d78fb9d8f381dc6a626265025effd1c147acde7390b9114f1289c1ef0c4f64c2b576b10d75e6be7c91d9f5a119792137a016c6e91

Download Submit
C:\Windows\SysWOW64\Pkonbamc.exe

Filesize
128KB

MD5
f9c314c04d2301e52a414b6b571dd084

SHA1
d0cf835f4ea13e667fae2ef45f75d5a37375d660

SHA256
b667615986c11ed683c69d3baf1a7f591a3af5ad541cfa8ce9f16b323455c19c

SHA512
c148f3027c3075f162765690a304d41d1608131eb7a419d964e85043df72383d2fade0d9cb2e6117cf8fbf50170a15e9f244f2e060c680d5790f9a7d145ffec7

Download Submit
C:\Windows\SysWOW64\Pnhacn32.exe

Filesize
128KB

MD5
9adcc402c5e5dd1fec8a62d38a5c769e

SHA1
3b67366f289568ad2edf8196ae59ec21297c3978

SHA256
32b31555802b9d833b612f403dd29d2125c6965d1cf887ed8242661bab3cd640

SHA512
e0f20dc6666c05b84fa8772df55a45e9a23519fbc6b16c381a89497eb8934a473a8c053413318a29cd7274b68224e52ff94535db271132422c0002208f211096

Download Submit
C:\Windows\SysWOW64\Qnpgdmjd.exe

Filesize
128KB

MD5
5fe50f68698ec30ebefbe1dfa0ae7e12

SHA1
2b1d940edd364999f75343cac7071d26c939cea2

SHA256
d1c856db3f69f0f8c3929bde8e73de34c4c7c994946130f44c69937d4fc72b17

SHA512
0cf96a2d1037c989091043f47487716797813c277ff2e7d95bd1aa214899e82c86976c3870eecab6d222ea5b35053871d728deef35255ac6c9f0b15eff036224

Download Submit
memory/388-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/792-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/956-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1544-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4184-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download