b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52

Analysis

max time kernel
96s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Size

320KB
MD5

7d5356ac62f75297dee9e9f6c0749c88
SHA1

970fbaccc8db9f2ad210413a41c41e4385a8681f
SHA256

b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52
SHA512

d9d5068919786ee694297777e2f8fa6a576dc589d4ee07a53e7db7ee82de30943e13f4c8139304eef6d18542e7c26fec2747def49ecca1e8c885c184f7f77141
SSDEEP

3072:o/HsprsRNgA6IsY6U4wS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:o/Hsp7/h64V/Ah1G/AcQ///NR5fn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pdfjifjo.exeBnbmefbg.exeDaconoae.exeQqijje32.exeCmnpgb32.exePdmpje32.exeAccfbokl.exeDogogcpo.exeBagflcje.exeCnffqf32.exeDmefhako.exeb90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exeCfbkeh32.exeCnnlaehj.exeAnmjcieo.exePqmjog32.exePmfhig32.exePqdqof32.exePclgkb32.exeCabfga32.exeQceiaa32.exeBfdodjhm.exeDhfajjoj.exeBeeoaapl.exeBalpgb32.exeBeihma32.exeDfnjafap.exeBgehcmmm.exePmdkch32.exeDejacond.exeCdfkolkf.exeDddhpjof.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe

Executes dropped EXE 32 IoCs

Processes:

Pdfjifjo.exePqmjog32.exePclgkb32.exePmdkch32.exePmfhig32.exePdmpje32.exePqdqof32.exeQceiaa32.exeQqijje32.exeAnmjcieo.exeAccfbokl.exeBagflcje.exeBfdodjhm.exeBeeoaapl.exeBalpgb32.exeBgehcmmm.exeBeihma32.exeBnbmefbg.exeCabfga32.exeCnffqf32.exeCfbkeh32.exeCdfkolkf.exeCmnpgb32.exeCnnlaehj.exeDhfajjoj.exeDejacond.exeDmefhako.exeDfnjafap.exeDaconoae.exeDogogcpo.exeDddhpjof.exeDmllipeg.exe

pid	process
4740	Pdfjifjo.exe
1012	Pqmjog32.exe
2796	Pclgkb32.exe
1036	Pmdkch32.exe
316	Pmfhig32.exe
3496	Pdmpje32.exe
888	Pqdqof32.exe
4944	Qceiaa32.exe
1816	Qqijje32.exe
2864	Anmjcieo.exe
3996	Accfbokl.exe
664	Bagflcje.exe
4148	Bfdodjhm.exe
4748	Beeoaapl.exe
3628	Balpgb32.exe
4840	Bgehcmmm.exe
4928	Beihma32.exe
2144	Bnbmefbg.exe
4524	Cabfga32.exe
4772	Cnffqf32.exe
2036	Cfbkeh32.exe
5012	Cdfkolkf.exe
396	Cmnpgb32.exe
2920	Cnnlaehj.exe
2108	Dhfajjoj.exe
996	Dejacond.exe
3052	Dmefhako.exe
4696	Dfnjafap.exe
3600	Daconoae.exe
3236	Dogogcpo.exe
4376	Dddhpjof.exe
2740	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

Processes:

Qceiaa32.exeAnmjcieo.exePqmjog32.exePmfhig32.exeBagflcje.exeDmefhako.exeDfnjafap.exePqdqof32.exeQqijje32.exeBnbmefbg.exeDogogcpo.exeDddhpjof.exePdfjifjo.exePclgkb32.exePmdkch32.exeCfbkeh32.exePdmpje32.exeAccfbokl.exeBalpgb32.exeDaconoae.exeCabfga32.exeCdfkolkf.exeCnnlaehj.exeb90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exeBfdodjhm.exeBgehcmmm.exeCnffqf32.exeDhfajjoj.exeBeeoaapl.exeBeihma32.exeDejacond.exeCmnpgb32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cmnpgb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3352 2740 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3352	2740	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cmnpgb32.exeDhfajjoj.exeDfnjafap.exePqdqof32.exeCabfga32.exeCfbkeh32.exeDogogcpo.exeCdfkolkf.exePmdkch32.exeQqijje32.exeAccfbokl.exeDmefhako.exeDddhpjof.exePclgkb32.exeBagflcje.exeBeihma32.exeCnnlaehj.exeDejacond.exePdfjifjo.exePqmjog32.exeBgehcmmm.exeDmllipeg.exeAnmjcieo.exeCnffqf32.exeDaconoae.exeBeeoaapl.exeBalpgb32.exeBnbmefbg.exePdmpje32.exeQceiaa32.exeBfdodjhm.exeb90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exePmfhig32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe

Modifies registry class 64 IoCs

Processes:

Beihma32.exeCdfkolkf.exeDejacond.exeDfnjafap.exeb90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exeQqijje32.exeAccfbokl.exeDaconoae.exeCfbkeh32.exePdfjifjo.exePmfhig32.exeQceiaa32.exeAnmjcieo.exeBnbmefbg.exePmdkch32.exeCabfga32.exeDddhpjof.exeCnffqf32.exeDogogcpo.exePqdqof32.exeBagflcje.exeBgehcmmm.exeCnnlaehj.exePclgkb32.exePdmpje32.exeCmnpgb32.exePqmjog32.exeDhfajjoj.exeDmefhako.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exePdfjifjo.exePqmjog32.exePclgkb32.exePmdkch32.exePmfhig32.exePdmpje32.exePqdqof32.exeQceiaa32.exeQqijje32.exeAnmjcieo.exeAccfbokl.exeBagflcje.exeBfdodjhm.exeBeeoaapl.exeBalpgb32.exeBgehcmmm.exeBeihma32.exeBnbmefbg.exeCabfga32.exeCnffqf32.exeCfbkeh32.exe

description	pid	process	target process
PID 2544 wrote to memory of 4740	2544	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe	Pdfjifjo.exe
PID 2544 wrote to memory of 4740	2544	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe	Pdfjifjo.exe
PID 2544 wrote to memory of 4740	2544	b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe	Pdfjifjo.exe
PID 4740 wrote to memory of 1012	4740	Pdfjifjo.exe	Pqmjog32.exe
PID 4740 wrote to memory of 1012	4740	Pdfjifjo.exe	Pqmjog32.exe
PID 4740 wrote to memory of 1012	4740	Pdfjifjo.exe	Pqmjog32.exe
PID 1012 wrote to memory of 2796	1012	Pqmjog32.exe	Pclgkb32.exe
PID 1012 wrote to memory of 2796	1012	Pqmjog32.exe	Pclgkb32.exe
PID 1012 wrote to memory of 2796	1012	Pqmjog32.exe	Pclgkb32.exe
PID 2796 wrote to memory of 1036	2796	Pclgkb32.exe	Pmdkch32.exe
PID 2796 wrote to memory of 1036	2796	Pclgkb32.exe	Pmdkch32.exe
PID 2796 wrote to memory of 1036	2796	Pclgkb32.exe	Pmdkch32.exe
PID 1036 wrote to memory of 316	1036	Pmdkch32.exe	Pmfhig32.exe
PID 1036 wrote to memory of 316	1036	Pmdkch32.exe	Pmfhig32.exe
PID 1036 wrote to memory of 316	1036	Pmdkch32.exe	Pmfhig32.exe
PID 316 wrote to memory of 3496	316	Pmfhig32.exe	Pdmpje32.exe
PID 316 wrote to memory of 3496	316	Pmfhig32.exe	Pdmpje32.exe
PID 316 wrote to memory of 3496	316	Pmfhig32.exe	Pdmpje32.exe
PID 3496 wrote to memory of 888	3496	Pdmpje32.exe	Pqdqof32.exe
PID 3496 wrote to memory of 888	3496	Pdmpje32.exe	Pqdqof32.exe
PID 3496 wrote to memory of 888	3496	Pdmpje32.exe	Pqdqof32.exe
PID 888 wrote to memory of 4944	888	Pqdqof32.exe	Qceiaa32.exe
PID 888 wrote to memory of 4944	888	Pqdqof32.exe	Qceiaa32.exe
PID 888 wrote to memory of 4944	888	Pqdqof32.exe	Qceiaa32.exe
PID 4944 wrote to memory of 1816	4944	Qceiaa32.exe	Qqijje32.exe
PID 4944 wrote to memory of 1816	4944	Qceiaa32.exe	Qqijje32.exe
PID 4944 wrote to memory of 1816	4944	Qceiaa32.exe	Qqijje32.exe
PID 1816 wrote to memory of 2864	1816	Qqijje32.exe	Anmjcieo.exe
PID 1816 wrote to memory of 2864	1816	Qqijje32.exe	Anmjcieo.exe
PID 1816 wrote to memory of 2864	1816	Qqijje32.exe	Anmjcieo.exe
PID 2864 wrote to memory of 3996	2864	Anmjcieo.exe	Accfbokl.exe
PID 2864 wrote to memory of 3996	2864	Anmjcieo.exe	Accfbokl.exe
PID 2864 wrote to memory of 3996	2864	Anmjcieo.exe	Accfbokl.exe
PID 3996 wrote to memory of 664	3996	Accfbokl.exe	Bagflcje.exe
PID 3996 wrote to memory of 664	3996	Accfbokl.exe	Bagflcje.exe
PID 3996 wrote to memory of 664	3996	Accfbokl.exe	Bagflcje.exe
PID 664 wrote to memory of 4148	664	Bagflcje.exe	Bfdodjhm.exe
PID 664 wrote to memory of 4148	664	Bagflcje.exe	Bfdodjhm.exe
PID 664 wrote to memory of 4148	664	Bagflcje.exe	Bfdodjhm.exe
PID 4148 wrote to memory of 4748	4148	Bfdodjhm.exe	Beeoaapl.exe
PID 4148 wrote to memory of 4748	4148	Bfdodjhm.exe	Beeoaapl.exe
PID 4148 wrote to memory of 4748	4148	Bfdodjhm.exe	Beeoaapl.exe
PID 4748 wrote to memory of 3628	4748	Beeoaapl.exe	Balpgb32.exe
PID 4748 wrote to memory of 3628	4748	Beeoaapl.exe	Balpgb32.exe
PID 4748 wrote to memory of 3628	4748	Beeoaapl.exe	Balpgb32.exe
PID 3628 wrote to memory of 4840	3628	Balpgb32.exe	Bgehcmmm.exe
PID 3628 wrote to memory of 4840	3628	Balpgb32.exe	Bgehcmmm.exe
PID 3628 wrote to memory of 4840	3628	Balpgb32.exe	Bgehcmmm.exe
PID 4840 wrote to memory of 4928	4840	Bgehcmmm.exe	Beihma32.exe
PID 4840 wrote to memory of 4928	4840	Bgehcmmm.exe	Beihma32.exe
PID 4840 wrote to memory of 4928	4840	Bgehcmmm.exe	Beihma32.exe
PID 4928 wrote to memory of 2144	4928	Beihma32.exe	Bnbmefbg.exe
PID 4928 wrote to memory of 2144	4928	Beihma32.exe	Bnbmefbg.exe
PID 4928 wrote to memory of 2144	4928	Beihma32.exe	Bnbmefbg.exe
PID 2144 wrote to memory of 4524	2144	Bnbmefbg.exe	Cabfga32.exe
PID 2144 wrote to memory of 4524	2144	Bnbmefbg.exe	Cabfga32.exe
PID 2144 wrote to memory of 4524	2144	Bnbmefbg.exe	Cabfga32.exe
PID 4524 wrote to memory of 4772	4524	Cabfga32.exe	Cnffqf32.exe
PID 4524 wrote to memory of 4772	4524	Cabfga32.exe	Cnffqf32.exe
PID 4524 wrote to memory of 4772	4524	Cabfga32.exe	Cnffqf32.exe
PID 4772 wrote to memory of 2036	4772	Cnffqf32.exe	Cfbkeh32.exe
PID 4772 wrote to memory of 2036	4772	Cnffqf32.exe	Cfbkeh32.exe
PID 4772 wrote to memory of 2036	4772	Cnffqf32.exe	Cfbkeh32.exe
PID 2036 wrote to memory of 5012	2036	Cfbkeh32.exe	Cdfkolkf.exe

C:\Users\Admin\AppData\Local\Temp\b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
"C:\Users\Admin\AppData\Local\Temp\b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\Pdfjifjo.exe
  C:\Windows\system32\Pdfjifjo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\Pclgkb32.exe
      C:\Windows\system32\Pclgkb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 396
        34⤵
        Program crash
        
        PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2740 -ip 2740
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
320KB

MD5
24f079d3104723c9ce3262143081beed

SHA1
730c17a5b9b71712152adfa5bf85bbb6dbd30cc5

SHA256
8f859308e7183ddf6275453057abea47a9db54c9be9b1850fa233bf5b6c4b57a

SHA512
45b9e11b9c52b1d12668e4ecccbd2d2c70e8e9b97f904077b11bbd0f26aec07de0a89dba58d2e2816dbc21b25d2ce04b72bbaf251289a615ab3fcb1d5132e7dd

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
320KB

MD5
cd9b0f19b7806d17430d7377bf5c8eb3

SHA1
80770be46f475ef12953af4c87f88bf890cb3b4d

SHA256
de1e69a19a35dddddb769bac8c76eb9d2d13ad4fd1bd6b42c064c3056e5d063c

SHA512
2a665cd51447d67a9814b8758fd448a7345de70fae04d4ff12008f2056d9acc216a635b4644f2a5ac36fae7337c95a8ce43615f7cf486a692f91d8b5f96c1b56

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
8aed80cfd8c17b945596909ffb492e82

SHA1
2ff087f960545dac7f320f07282ebe3a79ab45b9

SHA256
9c6be438347d9cc0071b31116e05d525a2879c1f95c6f94dfe962f55ace7f70a

SHA512
989357cfd7c49a99eb6829a2ddb2bb161c1e5401ae9b404f228df65322daac2fa04f1e9ad0fb3c0e7cef83ab087d5fd8651f868f3d332311554a323d854a8562

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
320KB

MD5
f5eb160718deb2c27e5ac5c50fd51359

SHA1
36afdd07d283371552a0c064c4698d03d786fb04

SHA256
a96824da8d4480a61d3a8a573646f75598050ef121605cacb821801b2df8b842

SHA512
caa08f7fb12bac97a8b29b90382499e7f4d571a27b5992c6f60af0b645ffdba8824b9695750ff2a15ca90aa1c678b9aff230f7028c7fb8d5b6be64c94cbf417d

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
320KB

MD5
207f6ebbe5f3d51ddb4dff8e58382624

SHA1
d295b18f9be9b777bdcf8f03146187f26052ed93

SHA256
0171565a002f03854fadf2cd336c3543bd92e63b156d0178c92cb967db793ce1

SHA512
766c5b957731eb6167c1ecf14a5822be214f94e97b899ca7bedb0f3314bc1a526dc374336c3074dd8e8b577daa0d0a712af22ee23c2ab2b3ca863eab53c27772

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
320KB

MD5
5b011cc2d5101e6b721b210f42a4f57e

SHA1
315db1125526fe36d3d7700f01ea0d26894bd1ef

SHA256
6d0dd934c740c2c471e77e21a39eda9d91c79ef52dc4d6a8cf4bb725c754b9eb

SHA512
396e0fb3896028f4f92183054e78b7b472f6070bbbfd8c98c28cdfa9973a6a57ee8bdd0c8ea1e70271bbff9443cb561aa7f1aa68ea39aa7039ba96015dd54a83

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
320KB

MD5
f575609c6acfd388fdedc40a452924ad

SHA1
f5a443caf6199a9f87565d7175abf44202551776

SHA256
bb7edc2aa24f3789f3d34a9a42863d07c563c4e89ade8ce6c2d451abb4065d8e

SHA512
1c0fab822567ec609b12aee8f128d67142094cf47c56b790420da71c8e544e3dd3f5ef218c22e835d729134dc85d4b6b005dcab2e14d0194a3fe594e1804bfa1

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
320KB

MD5
6fecd43871a1725f82e4a07e0c08ea0e

SHA1
6ec87eb54a2dd55c4b0d7a7760763f723d15bed4

SHA256
3abcbe95b0bff393871189103283759f6c16e90d34254144fdf65393d4684ab9

SHA512
7c492300b3b3321885a3e27a1d6c4a6e57175dfb531873dbc422d534c20240ee61c1ddc7f6d7c7cad73c204726c1c4c7a4094c5354f8433cce7e718ee47c9328

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
320KB

MD5
dd4fa67e2053872b7bab742a7ec57a2a

SHA1
f777122d4139d9e74bcf15130bf7f2148c94e43b

SHA256
a1a6d0f2e0d82a2306c68ae3d8c814b8aeb90c6c7088d5969c0df3d7281a8242

SHA512
5decc0aff03527c799f03637b14dbae563114780c5792b962c35504aa965008a24cf65412726d5aa6c4e11d26b262bc09e571eeef42bcca4c8f1a4c2c8c18d73

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
320KB

MD5
56e86f40510dd55be0f68293eceeecdd

SHA1
4ec4ec2ee2439b0101f41e839033124d72978d03

SHA256
b491e93a6c98e58002266f2c8cdb711b5d52bb8df6ff38c8184edacfd2d59064

SHA512
ebabec3799cd5a1ee64c2ea31cde3aca8e05214926bab1b38480588ba1c6ced0c22aba21bf9a5e3eb67cf1627c9ece4da2e7c9c479dcc16193421b8bec50d9d9

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
320KB

MD5
6472c172d933bec4bc051c03e4ec3a61

SHA1
a04994ef0ed63314109d371102b0d6620dac2054

SHA256
84598069fdebce0f02a41195169d3bcc3180a9df3ed89b23c1dca8cfa95603a7

SHA512
4d303035eccf9c17cd940967b2940deb148291147bc78dad2eb370451a688a98fb197b8052c25c4f487142a7b4de9a058c50c40b88bf88fefc805bd09bbcf13c

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
320KB

MD5
7cbba6934c0152472dd6a1af9a10d5e1

SHA1
6d0823509ac003828e07c66f7f18354216a956b5

SHA256
af4607a4e68e0609b7fa8437ee40d53c50c64c4126e72db093ed3ab1539c6a8f

SHA512
48e05bb55c9e455bbbd1089f77f64ddae7232886cba0e5cb8edbe742403523d1ecf67daef538ebe03945596c7df7ad08662fae3c8bb69790519d3b28eb8e00f1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
320KB

MD5
9c08ddb83d6cfe758179aa7fcd08f5c5

SHA1
2e05b183acade58a57f45b22ff2d39cb6710ca81

SHA256
4d128b9d0ccd0da06f5490f4db62f0362c3cab8553bbc05125556fb85e8e0491

SHA512
6a7ccc75a13c0b812a5e0db9cd0a8e5a83313174ee3471d179ac53c1b1f72e85cf9d8125b9d50d531934b3c0a57f4ec5a80b41ebcde106c0fa29288a5c8e13cb

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
320KB

MD5
691a1a475fd5ee5832226be5580a7f95

SHA1
f014fd37a19141756e2eb0e0578bbf2989ad49e4

SHA256
0cbc9f1a02152f1697030eb5a30cd5ebc4065434cc1c89f7aea961193de67da5

SHA512
0b14dd1d4bbeafaebcf3683289e9d4d487469a772cced619cc659d3be629b81c131d00863b70f6749bad9481bbaced53fd9dccf0b2b29ca338725acbfbe097ec

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
320KB

MD5
9c91556c09d8c5ca7f89ea085bf714db

SHA1
3dfc3d6a144feb330490f731b8d01775822fa9d4

SHA256
64954a3b90826606ac041bf2405abbabecb4e5f89310c852224a4cc468eed878

SHA512
9260359b6cafdc1c9cdcfaea8f0edd10ff0c2d42523b9c5f3e1ad7ee7eb1faefb6ae33639987dfba628cf4a1c9e542b8393d198c0d8b42c8ab3eef6a60a7fea3

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
320KB

MD5
4963f071f9c9f2b490c32c55f0355514

SHA1
09362898b38785587ee73b146f6eb083f2f8b49a

SHA256
c1ffc033acd025110610eaaa59f624bdcdddb4496669467d8f14f40d52990366

SHA512
8b0ccfb530b7e2031f16bb1fff2e8dfd4ab0102f8dfd940cb63e5743a867160d436fb741d03d535e0eedbb48eea6e364f694aef75ec60cd2efadb91cd0c00e40

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
320KB

MD5
eeafd983b7d91b62df74064cc24a9f2a

SHA1
ec1785cd1b20347f62d355a28eb9d23cc7a37883

SHA256
04e0d193a3df9ffc83850c0ce175cbabe8802762450980643036299e9a4e11c8

SHA512
9e802150c057f4536035fb86925c89e52efe12af37acc4b477b4cb0a5f5cdb2ab6df0df9b4218f0df1514bc71991e4532ce80fdb2a57f607df4f8be940611330

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
320KB

MD5
c3b953027d7ba0768d13fb692d214ab2

SHA1
e2d6ec0732b2f7e184cd283e7415c6d1e35ec525

SHA256
2fc32658e6d5c0ff5fc4ab730a14479f15156b998c6c23d79d1f0e43742539a6

SHA512
473e9193de2c1c56143736801177f2db294a52252cdfadf0a6c91530e61818c1230be58994c7298f21bec4e569b427ed9824e780243135179c64f9386a62f948

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
320KB

MD5
0d1ae6e895573206a83b2a6f729ec8b6

SHA1
047229fa52b6b6e799787d455266c973fba079f1

SHA256
2a4f6b376647bf85e59faf7bdfe8c796c5cb7f5346a5a5c08940f77cd2bbde02

SHA512
b25121484bdaa0b987569387b147209c743e356c00611fd6a994ad05c811874a55c6527a6b1103d11872bbef571b195aef14478f55e78928b18f7d9c89e58f61

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
320KB

MD5
0228a212d2fec6c26cede627ce78786e

SHA1
ed16cecc633e8a4f84569c22bb9244018d59867c

SHA256
4752a2e65f9263b4306db0cb2dcf07d98f9ac7d4bff6bb0c3062aa6f31af46b4

SHA512
09b172b0a416fe3ed19533250f007eb80f4aa3862fb78cc1b9105dd134dc1e6519549f04483979b97e7c4d518e8bfce5516e959a5a27c347d2f7754b5f75d807

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
320KB

MD5
0a41f9ee3cf675e9a3260ba31cffb5dd

SHA1
77126ca81baa3f5287f5b823c9291f77910fa96f

SHA256
abcc194a68328f4ab9db7312107b4e91cd452c12e2c410b472492832d4fd3c86

SHA512
dbab319afa317cd43ddaf4e8890046127fb2369b97b7e3751f56e00d467518ef1c36187dc1b63258d972dc1e49b69e3484917027045a629fee88c07344757ef1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
b1eb8e4ab1fbf74cb18ec6b070caae0c

SHA1
9fa2c9347f1db786a19e9bf26ab61a04688783ea

SHA256
8a94b407fae8067ec0d77d6c1af81081f4276cd0ad47ddfa41c322907c27a1d2

SHA512
62f49d266cb7fb44415353202c549ade0c22b02c3d8b70501797db315e3cf1b7a5be4bff60cc091e0c836263824cb678e7a4aafa5e00252486de5a5917bf1ba1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
320KB

MD5
d1114351957256992d95edb000a98f70

SHA1
67982a50da58c672a3f94d8cc3d31443471b69a6

SHA256
b10c316e6566b6d1d356554905a0da674f6d762671a11e34c0f3ec8d0a94f095

SHA512
fe163c72a89fdb0f4e0446d97be209699c02928a8907bb2d75b5b9f43a71af66d83bdd157685f68bb8389ddcdd5d879bd2d3dc4f424d535033bda3eaea759e7c

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
320KB

MD5
8b78da661946c6e9c2f0818b5519aa24

SHA1
80b7912c10dc268cc62e82df8778db6cab7b8838

SHA256
a85f6d622457c34ed9c879d91944a0cc8bc2a1da9ef1950ce991857ef50ba77b

SHA512
8d8da74b2e41b08f2a537ebb928919635ff9d651ab0c555134bb05853c2eea7f4e4df092c64085c7bda1cb57ce423ef3586dc5499cd6d7c29f1fddd2da5b6123

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
320KB

MD5
b94fe720654cb401ebe95eec96b2f1c9

SHA1
e1493c034ac82ac5ccb333e866d3723121201dc6

SHA256
5f18857b611f9f696c767b72c5980f199813dc99fb8f90c8dcb82b7195d3246b

SHA512
f28456fb3c77499a32b640565954b382fdd86acb079e73196f86809e13d632a0c1c22913e47baa023d8ca8a0ebf93bdc452b224f3e395fa1942de71b3ee46361

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
320KB

MD5
051c2d48a6b49f2d30f8f3fd898d100e

SHA1
d88522b42b045c08b64c99983dbb40c838f4c3f7

SHA256
ac347fdb0bda4bae360013da2632948417d86f8074ea7bdac1c5737f0a700a04

SHA512
d816f53fa8d9d689e7b635c44a035f08f638b8c8551608574ebd4e8a95a8a36682cb1e3a01fef80c12d9b8ed46f8e463713fe65a716ccd6ecb43acc37612ee25

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
320KB

MD5
6eb5f2fb62d2c87325e01e4633bc0396

SHA1
ae4def6ea0afe1952c20ba7038f873c4a74dd598

SHA256
06fa9cc95ec02aa903ceae2ba3d420cb02ee407505c0ccf1beb2e7ba00fd8b85

SHA512
d0b41e8387d6e7c0c023d4ddf2248667181d219857d691fbe98e7337e87dc89f55e2850d5e3f482d36c62bfb2cee7e9f2fa237fe6133998ca8ae5d8510beb8e7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
320KB

MD5
c200b337daf44d23b834ec3f725323df

SHA1
213aa178928f03d149a9eec6361643d776cddee7

SHA256
2c464741f4d18ef41567ddbaafb72483863d9c7eaf47c15a6621a32b9c519521

SHA512
82f7bd2354fbf974138d4a4b1adecffea77248610f6b7b7abeaefacab40275c9995b534408cc030b9a877feb0916f6cf783cf8c2a5564b8a35f7d9ee94e163b5

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
320KB

MD5
04622d50a96af0ddf72065fe535d1e4f

SHA1
85e693c329d1f48dd0f1ae1b22b6dcebed84bf8c

SHA256
072856d736771868eecdf413fdb788cacc41968b27ebd4f8db1085732194a6b0

SHA512
e702691f657968de0d95d1df5b6c6afa11767223e3a9f1b4ceb1e77a8f35151c65704d927382de62d11bd8a57b6752703f935915e5c14143165abcfedeb0be4f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
320KB

MD5
b0453d6dbf545ad3377bdda1f296c957

SHA1
71afa1579c58178b7c01b0f0b9431bd4e4400fea

SHA256
f28bdb214e064a14172d6a4cd495847409ac10cc0da003390cd3c6f87bfc7d37

SHA512
6c133d39990d145ff7863c11b7c3f10f9f087de45a8e08211415fa02fa7797674a0be4473ed52c3ec2ef54b160e99630e7751625b55d8f175cb95bb163436dd0

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
320KB

MD5
6245622271ca8fb3125eb0888e4b5e26

SHA1
179c1b6bfa9cf1632dc084b16561814c8a238bf3

SHA256
25d3b57e47c37f741924e54c106d7964da348af210b7ac5d6bb89ec84bf728ec

SHA512
6f21eda2b5efb991bd868edd2e149ab9d4f3db0643f024083ca7386f133133fe26420b7931dcec0c20f1f4d74b1d31d5e1256ce2d55408f23168c1d8bb4d5799

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
320KB

MD5
21e5357e33a360cc05a78ac9262f7237

SHA1
6b6f5371e396669897b378664baed722134bdd36

SHA256
89f6d61808acb716e3c85f1350aee886d3d592761ea147e861d82324c3c25998

SHA512
076f31fa247bbbd68039d543b744f5075a63a3d0c10999223542b53c7048e3e50fd077a18341e11dbd9338fcce7a029266111a7bf92ad311f1a56959b0c92749

Download Submit
memory/316-41-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/316-313-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/396-277-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/396-184-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/664-299-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/664-96-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/888-309-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/888-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/996-209-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/996-271-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1012-16-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1012-319-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1036-32-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1036-315-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1816-305-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1816-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2036-168-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2036-281-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2108-273-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2108-201-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2144-144-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2144-287-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2544-323-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2544-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2544-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2740-257-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2740-260-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2796-317-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2796-24-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2864-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2864-303-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2920-193-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2920-275-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3052-269-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3052-216-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3236-240-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3236-263-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3496-49-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3496-311-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3600-232-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3600-267-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3628-293-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3628-125-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3996-301-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3996-88-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4148-105-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4148-297-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4376-261-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4376-248-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4524-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4524-285-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4696-224-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4696-266-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4740-321-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4740-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4748-113-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4748-295-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4772-283-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4772-161-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4840-128-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4840-291-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4928-136-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4928-289-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4944-307-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4944-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5012-176-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5012-279-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download