9abdd1bd8b2c68b54d217fe7c105c0ee3ca8ca4072e0562ea045cc8576aab9e3

Analysis

max time kernel
147s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baaa39974eaff75e17250a8ab6fc3db4.exe
Size

135KB
MD5

baaa39974eaff75e17250a8ab6fc3db4
SHA1

e67fe6ebf3b687c5f3b6f3b006dd5c0de6afc0b3
SHA256

9abdd1bd8b2c68b54d217fe7c105c0ee3ca8ca4072e0562ea045cc8576aab9e3
SHA512

4ee6de4d520de71072052dff811fae276d850a55e234d475a81599fd231bf50c7beddde6726560330de8962e1ba09c7db0739485eb170e7c63adfa913275dd4b
SSDEEP

3072:vhwiFjn0TkO06gSU2UT3K8Qr5+ViKGe7Yfs0a0Uoi:vhwiFD0TkO06gSU3T3K9cViK4fs0l

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gimjhafg.exeHimcoo32.exeIbmmhdhm.exeLpocjdld.exeLcdegnep.exeLnjjdgee.exeIpldfi32.exeMdfofakp.exeMdmegp32.exeNceonl32.exeNqiogp32.exeClnadfbp.exeDhqaefng.exeGmoliohh.exeIpegmg32.exeJfhbppbc.exeKajfig32.exeKgfoan32.exeNjogjfoj.exeDljqpd32.exeEbploj32.exeIjdeiaio.exeJdcpcf32.exeKaqcbi32.exeNnolfdcn.exebaaa39974eaff75e17250a8ab6fc3db4.exeHabnjm32.exeHcqjfh32.exeHbhdmd32.exeKbdmpqcb.exeKipabjil.exeCekohk32.exeDphifcoi.exeKkihknfg.exeMgekbljc.exeNdghmo32.exeDchbhn32.exeJidbflcj.exeMjhqjg32.exeMcpebmkb.exeFihqmb32.exeIbccic32.exeKkpnlm32.exeMaaepd32.exeClqnjf32.exeEhlaaddj.exeFodeolof.exeGmaioo32.exeMahbje32.exeNjacpf32.exeNbhkac32.exeEqciba32.exeFfjdqg32.exeFmclmabe.exeIbjqcd32.exeJibeql32.exeMnocof32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	baaa39974eaff75e17250a8ab6fc3db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	baaa39974eaff75e17250a8ab6fc3db4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe

Malware Dropper & Backdoor - Berbew 35 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Clnadfbp.exe	family_berbew
C:\Windows\SysWOW64\Commqb32.exe	family_berbew
C:\Windows\SysWOW64\Cefemliq.exe	family_berbew
C:\Windows\SysWOW64\Chebighd.exe	family_berbew
C:\Windows\SysWOW64\Clqnjf32.exe	family_berbew
C:\Windows\SysWOW64\Coojfa32.exe	family_berbew
C:\Windows\SysWOW64\Camfbm32.exe	family_berbew
C:\Windows\SysWOW64\Chgoogfa.exe	family_berbew
C:\Windows\SysWOW64\Cpofpdgd.exe	family_berbew
C:\Windows\SysWOW64\Ccmclp32.exe	family_berbew
C:\Windows\SysWOW64\Cekohk32.exe	family_berbew
C:\Windows\SysWOW64\Dlegeemh.exe	family_berbew
C:\Windows\SysWOW64\Dabpnlkp.exe	family_berbew
C:\Windows\SysWOW64\Diihojkb.exe	family_berbew
C:\Windows\SysWOW64\Dpcpkc32.exe	family_berbew
C:\Windows\SysWOW64\Dcalgo32.exe	family_berbew
C:\Windows\SysWOW64\Djlddi32.exe	family_berbew
C:\Windows\SysWOW64\Dljqpd32.exe	family_berbew
C:\Windows\SysWOW64\Dcdimopp.exe	family_berbew
C:\Windows\SysWOW64\Debeijoc.exe	family_berbew
C:\Windows\SysWOW64\Dhqaefng.exe	family_berbew
C:\Windows\SysWOW64\Dphifcoi.exe	family_berbew
C:\Windows\SysWOW64\Daifnk32.exe	family_berbew
C:\Windows\SysWOW64\Dhcnke32.exe	family_berbew
C:\Windows\SysWOW64\Dchbhn32.exe	family_berbew
C:\Windows\SysWOW64\Efgodj32.exe	family_berbew
C:\Windows\SysWOW64\Efikji32.exe	family_berbew
C:\Windows\SysWOW64\Elccfc32.exe	family_berbew
C:\Windows\SysWOW64\Ebploj32.exe	family_berbew
C:\Windows\SysWOW64\Eleplc32.exe	family_berbew
C:\Windows\SysWOW64\Eodlho32.exe	family_berbew
C:\Windows\SysWOW64\Efneehef.exe	family_berbew
C:\Windows\SysWOW64\Gfhqbe32.exe	family_berbew
C:\Windows\SysWOW64\Jpjqhgol.exe	family_berbew
C:\Windows\SysWOW64\Nnhfee32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Clnadfbp.exeCommqb32.exeCefemliq.exeChebighd.exeClqnjf32.exeCoojfa32.exeCamfbm32.exeChgoogfa.exeCpofpdgd.exeCcmclp32.exeCekohk32.exeDlegeemh.exeDabpnlkp.exeDiihojkb.exeDpcpkc32.exeDcalgo32.exeDjlddi32.exeDljqpd32.exeDcdimopp.exeDebeijoc.exeDhqaefng.exeDphifcoi.exeDaifnk32.exeDhcnke32.exeDchbhn32.exeEfgodj32.exeEfikji32.exeElccfc32.exeEbploj32.exeEleplc32.exeEodlho32.exeEfneehef.exeEhlaaddj.exeEqciba32.exeEbeejijj.exeEhonfc32.exeEqfeha32.exeEcdbdl32.exeFjnjqfij.exeFmmfmbhn.exeFokbim32.exeFfekegon.exeFicgacna.exeFomonm32.exeFbllkh32.exeFfggkgmk.exeFqmlhpla.exeFckhdk32.exeFfjdqg32.exeFihqmb32.exeFmclmabe.exeFcnejk32.exeFjhmgeao.exeFmficqpc.exeFodeolof.exeGcpapkgp.exeGimjhafg.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGqfooodg.exeGbgkfg32.exeGjocgdkg.exeGmmocpjk.exe

pid	process
2892	Clnadfbp.exe
880	Commqb32.exe
5096	Cefemliq.exe
2824	Chebighd.exe
2352	Clqnjf32.exe
3056	Coojfa32.exe
2052	Camfbm32.exe
4988	Chgoogfa.exe
4836	Cpofpdgd.exe
5088	Ccmclp32.exe
1696	Cekohk32.exe
5108	Dlegeemh.exe
1892	Dabpnlkp.exe
4444	Diihojkb.exe
4436	Dpcpkc32.exe
2060	Dcalgo32.exe
1232	Djlddi32.exe
3356	Dljqpd32.exe
4976	Dcdimopp.exe
3352	Debeijoc.exe
2800	Dhqaefng.exe
2068	Dphifcoi.exe
3276	Daifnk32.exe
4124	Dhcnke32.exe
4608	Dchbhn32.exe
4864	Efgodj32.exe
4684	Efikji32.exe
4356	Elccfc32.exe
4708	Ebploj32.exe
1080	Eleplc32.exe
1540	Eodlho32.exe
4972	Efneehef.exe
1744	Ehlaaddj.exe
3380	Eqciba32.exe
3440	Ebeejijj.exe
4904	Ehonfc32.exe
3044	Eqfeha32.exe
2440	Ecdbdl32.exe
3544	Fjnjqfij.exe
1908	Fmmfmbhn.exe
2312	Fokbim32.exe
4944	Ffekegon.exe
764	Ficgacna.exe
4912	Fomonm32.exe
2568	Fbllkh32.exe
3396	Ffggkgmk.exe
2316	Fqmlhpla.exe
4176	Fckhdk32.exe
2216	Ffjdqg32.exe
2268	Fihqmb32.exe
4888	Fmclmabe.exe
5000	Fcnejk32.exe
5100	Fjhmgeao.exe
4316	Fmficqpc.exe
1064	Fodeolof.exe
4796	Gcpapkgp.exe
884	Gimjhafg.exe
864	Gogbdl32.exe
3744	Gbenqg32.exe
4044	Gjlfbd32.exe
1020	Gqfooodg.exe
3296	Gbgkfg32.exe
4256	Gjocgdkg.exe
4192	Gmmocpjk.exe

Drops file in System32 directory 64 IoCs

Processes:

Cpofpdgd.exeIbmmhdhm.exeIfjfnb32.exeKmjqmi32.exeNkqpjidj.exeEqciba32.exeGcpapkgp.exeImgkql32.exeLdohebqh.exeLnhmng32.exeCefemliq.exeChgoogfa.exeEfneehef.exeFfjdqg32.exeKgfoan32.exeDphifcoi.exeIbccic32.exeLdkojb32.exeNjacpf32.exeGqfooodg.exeGbgkfg32.exeGjocgdkg.exeGcggpj32.exeNqfbaq32.exeClqnjf32.exeCoojfa32.exeHfljmdjc.exeJfdida32.exeJaimbj32.exeKpepcedo.exeKajfig32.exeCekohk32.exeIpldfi32.exeIapjlk32.exeJjbako32.exeJidbflcj.exeMjqjih32.exeMciobn32.exeNqiogp32.exeCcmclp32.exeDhqaefng.exeHikfip32.exeKilhgk32.exeCommqb32.exeFbllkh32.exeGjlfbd32.exeKibnhjgj.exeHcedaheh.exeLnepih32.exeMaaepd32.exeChebighd.exeFfekegon.exeIjaida32.exeJangmibi.exeKphmie32.exeHcqjfh32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ccmclp32.exe	Cpofpdgd.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Chebighd.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Cpofpdgd.exe	Chgoogfa.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jepjeoec.dll	Clqnjf32.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Coojfa32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Dlegeemh.exe	Cekohk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Cekohk32.exe	Ccmclp32.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Khkchobp.dll	Cefemliq.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ddphck32.dll	Commqb32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Clqnjf32.exe	Chebighd.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Cefemliq.exe	Commqb32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7236 7176 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
7236	7176	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ibjqcd32.exeIjkljp32.exeKibnhjgj.exeKgfoan32.exeLnhmng32.exeCefemliq.exeDpcpkc32.exeDcalgo32.exeFmclmabe.exeJigollag.exeFckhdk32.exeKaqcbi32.exeLmqgnhmp.exeLnepih32.exeMgekbljc.exeFicgacna.exeFbllkh32.exeHpgkkioa.exeHfachc32.exeEcdbdl32.exeHapaemll.exeHibljoco.exeKilhgk32.exeMnapdf32.exeMgidml32.exeIiibkn32.exeJfhbppbc.exeLdkojb32.exeLgikfn32.exeLgpagm32.exeMnocof32.exeNnhfee32.exebaaa39974eaff75e17250a8ab6fc3db4.exeGqkhjn32.exeJfdida32.exeKipabjil.exeLdohebqh.exeDhcnke32.exeFfggkgmk.exeFcnejk32.exeGfhqbe32.exeGidphq32.exeJjbako32.exeKbfiep32.exeClqnjf32.exeDlegeemh.exeDaifnk32.exeFmmfmbhn.exeGfedle32.exeLnjjdgee.exeLiggbi32.exeNggqoj32.exeDiihojkb.exeFfekegon.exeFomonm32.exeIiffen32.exeIbmmhdhm.exeKgbefoji.exeMcpebmkb.exeKpjjod32.exeMdkhapfj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	baaa39974eaff75e17250a8ab6fc3db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

baaa39974eaff75e17250a8ab6fc3db4.exeClnadfbp.exeCommqb32.exeCefemliq.exeChebighd.exeClqnjf32.exeCoojfa32.exeCamfbm32.exeChgoogfa.exeCpofpdgd.exeCcmclp32.exeCekohk32.exeDlegeemh.exeDabpnlkp.exeDiihojkb.exeDpcpkc32.exeDcalgo32.exeDjlddi32.exeDljqpd32.exeDcdimopp.exeDebeijoc.exeDhqaefng.exe

description	pid	process	target process
PID 2404 wrote to memory of 2892	2404	baaa39974eaff75e17250a8ab6fc3db4.exe	Clnadfbp.exe
PID 2404 wrote to memory of 2892	2404	baaa39974eaff75e17250a8ab6fc3db4.exe	Clnadfbp.exe
PID 2404 wrote to memory of 2892	2404	baaa39974eaff75e17250a8ab6fc3db4.exe	Clnadfbp.exe
PID 2892 wrote to memory of 880	2892	Clnadfbp.exe	Commqb32.exe
PID 2892 wrote to memory of 880	2892	Clnadfbp.exe	Commqb32.exe
PID 2892 wrote to memory of 880	2892	Clnadfbp.exe	Commqb32.exe
PID 880 wrote to memory of 5096	880	Commqb32.exe	Cefemliq.exe
PID 880 wrote to memory of 5096	880	Commqb32.exe	Cefemliq.exe
PID 880 wrote to memory of 5096	880	Commqb32.exe	Cefemliq.exe
PID 5096 wrote to memory of 2824	5096	Cefemliq.exe	Chebighd.exe
PID 5096 wrote to memory of 2824	5096	Cefemliq.exe	Chebighd.exe
PID 5096 wrote to memory of 2824	5096	Cefemliq.exe	Chebighd.exe
PID 2824 wrote to memory of 2352	2824	Chebighd.exe	Clqnjf32.exe
PID 2824 wrote to memory of 2352	2824	Chebighd.exe	Clqnjf32.exe
PID 2824 wrote to memory of 2352	2824	Chebighd.exe	Clqnjf32.exe
PID 2352 wrote to memory of 3056	2352	Clqnjf32.exe	Coojfa32.exe
PID 2352 wrote to memory of 3056	2352	Clqnjf32.exe	Coojfa32.exe
PID 2352 wrote to memory of 3056	2352	Clqnjf32.exe	Coojfa32.exe
PID 3056 wrote to memory of 2052	3056	Coojfa32.exe	Camfbm32.exe
PID 3056 wrote to memory of 2052	3056	Coojfa32.exe	Camfbm32.exe
PID 3056 wrote to memory of 2052	3056	Coojfa32.exe	Camfbm32.exe
PID 2052 wrote to memory of 4988	2052	Camfbm32.exe	Chgoogfa.exe
PID 2052 wrote to memory of 4988	2052	Camfbm32.exe	Chgoogfa.exe
PID 2052 wrote to memory of 4988	2052	Camfbm32.exe	Chgoogfa.exe
PID 4988 wrote to memory of 4836	4988	Chgoogfa.exe	Cpofpdgd.exe
PID 4988 wrote to memory of 4836	4988	Chgoogfa.exe	Cpofpdgd.exe
PID 4988 wrote to memory of 4836	4988	Chgoogfa.exe	Cpofpdgd.exe
PID 4836 wrote to memory of 5088	4836	Cpofpdgd.exe	Ccmclp32.exe
PID 4836 wrote to memory of 5088	4836	Cpofpdgd.exe	Ccmclp32.exe
PID 4836 wrote to memory of 5088	4836	Cpofpdgd.exe	Ccmclp32.exe
PID 5088 wrote to memory of 1696	5088	Ccmclp32.exe	Cekohk32.exe
PID 5088 wrote to memory of 1696	5088	Ccmclp32.exe	Cekohk32.exe
PID 5088 wrote to memory of 1696	5088	Ccmclp32.exe	Cekohk32.exe
PID 1696 wrote to memory of 5108	1696	Cekohk32.exe	Dlegeemh.exe
PID 1696 wrote to memory of 5108	1696	Cekohk32.exe	Dlegeemh.exe
PID 1696 wrote to memory of 5108	1696	Cekohk32.exe	Dlegeemh.exe
PID 5108 wrote to memory of 1892	5108	Dlegeemh.exe	Dabpnlkp.exe
PID 5108 wrote to memory of 1892	5108	Dlegeemh.exe	Dabpnlkp.exe
PID 5108 wrote to memory of 1892	5108	Dlegeemh.exe	Dabpnlkp.exe
PID 1892 wrote to memory of 4444	1892	Dabpnlkp.exe	Diihojkb.exe
PID 1892 wrote to memory of 4444	1892	Dabpnlkp.exe	Diihojkb.exe
PID 1892 wrote to memory of 4444	1892	Dabpnlkp.exe	Diihojkb.exe
PID 4444 wrote to memory of 4436	4444	Diihojkb.exe	Dpcpkc32.exe
PID 4444 wrote to memory of 4436	4444	Diihojkb.exe	Dpcpkc32.exe
PID 4444 wrote to memory of 4436	4444	Diihojkb.exe	Dpcpkc32.exe
PID 4436 wrote to memory of 2060	4436	Dpcpkc32.exe	Dcalgo32.exe
PID 4436 wrote to memory of 2060	4436	Dpcpkc32.exe	Dcalgo32.exe
PID 4436 wrote to memory of 2060	4436	Dpcpkc32.exe	Dcalgo32.exe
PID 2060 wrote to memory of 1232	2060	Dcalgo32.exe	Djlddi32.exe
PID 2060 wrote to memory of 1232	2060	Dcalgo32.exe	Djlddi32.exe
PID 2060 wrote to memory of 1232	2060	Dcalgo32.exe	Djlddi32.exe
PID 1232 wrote to memory of 3356	1232	Djlddi32.exe	Dljqpd32.exe
PID 1232 wrote to memory of 3356	1232	Djlddi32.exe	Dljqpd32.exe
PID 1232 wrote to memory of 3356	1232	Djlddi32.exe	Dljqpd32.exe
PID 3356 wrote to memory of 4976	3356	Dljqpd32.exe	Dcdimopp.exe
PID 3356 wrote to memory of 4976	3356	Dljqpd32.exe	Dcdimopp.exe
PID 3356 wrote to memory of 4976	3356	Dljqpd32.exe	Dcdimopp.exe
PID 4976 wrote to memory of 3352	4976	Dcdimopp.exe	Debeijoc.exe
PID 4976 wrote to memory of 3352	4976	Dcdimopp.exe	Debeijoc.exe
PID 4976 wrote to memory of 3352	4976	Dcdimopp.exe	Debeijoc.exe
PID 3352 wrote to memory of 2800	3352	Debeijoc.exe	Dhqaefng.exe
PID 3352 wrote to memory of 2800	3352	Debeijoc.exe	Dhqaefng.exe
PID 3352 wrote to memory of 2800	3352	Debeijoc.exe	Dhqaefng.exe
PID 2800 wrote to memory of 2068	2800	Dhqaefng.exe	Dphifcoi.exe

C:\Users\Admin\AppData\Local\Temp\baaa39974eaff75e17250a8ab6fc3db4.exe
"C:\Users\Admin\AppData\Local\Temp\baaa39974eaff75e17250a8ab6fc3db4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\Clnadfbp.exe
C:\Windows\system32\Clnadfbp.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\Commqb32.exe
C:\Windows\system32\Commqb32.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\Cefemliq.exe
C:\Windows\system32\Cefemliq.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\Chebighd.exe
C:\Windows\system32\Chebighd.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Clqnjf32.exe
C:\Windows\system32\Clqnjf32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\Coojfa32.exe
C:\Windows\system32\Coojfa32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\Camfbm32.exe
C:\Windows\system32\Camfbm32.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\Chgoogfa.exe
C:\Windows\system32\Chgoogfa.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\Cpofpdgd.exe
C:\Windows\system32\Cpofpdgd.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\Ccmclp32.exe
C:\Windows\system32\Ccmclp32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\Cekohk32.exe
C:\Windows\system32\Cekohk32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\Dlegeemh.exe
C:\Windows\system32\Dlegeemh.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\Dabpnlkp.exe
C:\Windows\system32\Dabpnlkp.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\Diihojkb.exe
C:\Windows\system32\Diihojkb.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\Dpcpkc32.exe
C:\Windows\system32\Dpcpkc32.exe
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Dcalgo32.exe
C:\Windows\system32\Dcalgo32.exe
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Djlddi32.exe
C:\Windows\system32\Djlddi32.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\Dljqpd32.exe
C:\Windows\system32\Dljqpd32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\Dcdimopp.exe
C:\Windows\system32\Dcdimopp.exe
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\Debeijoc.exe
C:\Windows\system32\Debeijoc.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\Dhqaefng.exe
C:\Windows\system32\Dhqaefng.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\Dphifcoi.exe
C:\Windows\system32\Dphifcoi.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2068

C:\Windows\SysWOW64\Daifnk32.exe
C:\Windows\system32\Daifnk32.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:3276

C:\Windows\SysWOW64\Dhcnke32.exe
C:\Windows\system32\Dhcnke32.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:4124

C:\Windows\SysWOW64\Dchbhn32.exe
C:\Windows\system32\Dchbhn32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4608

C:\Windows\SysWOW64\Efgodj32.exe
C:\Windows\system32\Efgodj32.exe
27⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\Efikji32.exe
C:\Windows\system32\Efikji32.exe
28⤵
- Executes dropped EXE
PID:4684

C:\Windows\SysWOW64\Elccfc32.exe
C:\Windows\system32\Elccfc32.exe
29⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\Ebploj32.exe
C:\Windows\system32\Ebploj32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4708

C:\Windows\SysWOW64\Eleplc32.exe
C:\Windows\system32\Eleplc32.exe
31⤵
- Executes dropped EXE
PID:1080

C:\Windows\SysWOW64\Eodlho32.exe
C:\Windows\system32\Eodlho32.exe
32⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\Efneehef.exe
C:\Windows\system32\Efneehef.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4972

C:\Windows\SysWOW64\Ehlaaddj.exe
C:\Windows\system32\Ehlaaddj.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\Eqciba32.exe
C:\Windows\system32\Eqciba32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3380

C:\Windows\SysWOW64\Ebeejijj.exe
C:\Windows\system32\Ebeejijj.exe
36⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\Ehonfc32.exe
C:\Windows\system32\Ehonfc32.exe
37⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\Eqfeha32.exe
C:\Windows\system32\Eqfeha32.exe
38⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\Ecdbdl32.exe
C:\Windows\system32\Ecdbdl32.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:2440

C:\Windows\SysWOW64\Fjnjqfij.exe
C:\Windows\system32\Fjnjqfij.exe
40⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
41⤵
- Executes dropped EXE
- Modifies registry class
PID:1908

C:\Windows\SysWOW64\Fokbim32.exe
C:\Windows\system32\Fokbim32.exe
42⤵
- Executes dropped EXE
PID:2312

C:\Windows\SysWOW64\Ffekegon.exe
C:\Windows\system32\Ffekegon.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4944

C:\Windows\SysWOW64\Ficgacna.exe
C:\Windows\system32\Ficgacna.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:764

C:\Windows\SysWOW64\Fomonm32.exe
C:\Windows\system32\Fomonm32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:4912

C:\Windows\SysWOW64\Fbllkh32.exe
C:\Windows\system32\Fbllkh32.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2568

C:\Windows\SysWOW64\Ffggkgmk.exe
C:\Windows\system32\Ffggkgmk.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:3396

C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
48⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWOW64\Fckhdk32.exe
C:\Windows\system32\Fckhdk32.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:4176

C:\Windows\SysWOW64\Ffjdqg32.exe
C:\Windows\system32\Ffjdqg32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2216

C:\Windows\SysWOW64\Fihqmb32.exe
C:\Windows\system32\Fihqmb32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268

C:\Windows\SysWOW64\Fmclmabe.exe
C:\Windows\system32\Fmclmabe.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4888

C:\Windows\SysWOW64\Fcnejk32.exe
C:\Windows\system32\Fcnejk32.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:5000

C:\Windows\SysWOW64\Fjhmgeao.exe
C:\Windows\system32\Fjhmgeao.exe
54⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\Fmficqpc.exe
C:\Windows\system32\Fmficqpc.exe
55⤵
- Executes dropped EXE
PID:4316

C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\Gcpapkgp.exe
C:\Windows\system32\Gcpapkgp.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796

C:\Windows\SysWOW64\Gimjhafg.exe
C:\Windows\system32\Gimjhafg.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
59⤵
- Executes dropped EXE
PID:864

C:\Windows\SysWOW64\Gbenqg32.exe
C:\Windows\system32\Gbenqg32.exe
60⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\Gjlfbd32.exe
C:\Windows\system32\Gjlfbd32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044

C:\Windows\SysWOW64\Gqfooodg.exe
C:\Windows\system32\Gqfooodg.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020

C:\Windows\SysWOW64\Gbgkfg32.exe
C:\Windows\system32\Gbgkfg32.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3296

C:\Windows\SysWOW64\Gjocgdkg.exe
C:\Windows\system32\Gjocgdkg.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4256

C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
65⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
66⤵
- Drops file in System32 directory
PID:2596

C:\Windows\SysWOW64\Gfedle32.exe
C:\Windows\system32\Gfedle32.exe
67⤵
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\Gidphq32.exe
C:\Windows\system32\Gidphq32.exe
68⤵
- Modifies registry class
PID:384

C:\Windows\SysWOW64\Gmoliohh.exe
C:\Windows\system32\Gmoliohh.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4216

C:\Windows\SysWOW64\Gqkhjn32.exe
C:\Windows\system32\Gqkhjn32.exe
70⤵
- Modifies registry class
PID:4460

C:\Windows\SysWOW64\Gfhqbe32.exe
C:\Windows\system32\Gfhqbe32.exe
71⤵
- Modifies registry class
PID:3800

C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
72⤵
PID:828

C:\Windows\SysWOW64\Gmaioo32.exe
C:\Windows\system32\Gmaioo32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
74⤵
PID:4204

C:\Windows\SysWOW64\Hfjmgdlf.exe
C:\Windows\system32\Hfjmgdlf.exe
75⤵
PID:3752

C:\Windows\SysWOW64\Hapaemll.exe
C:\Windows\system32\Hapaemll.exe
76⤵
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
77⤵
PID:860

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
78⤵
- Drops file in System32 directory
PID:2612

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
79⤵
- Drops file in System32 directory
PID:4996

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448

C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4616

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
82⤵
PID:2360

C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4792

C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
84⤵
- Modifies registry class
PID:5164

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
85⤵
PID:5200

C:\Windows\SysWOW64\Hfachc32.exe
C:\Windows\system32\Hfachc32.exe
86⤵
- Modifies registry class
PID:5240

C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
87⤵
- Drops file in System32 directory
PID:5296

C:\Windows\SysWOW64\Hbhdmd32.exe
C:\Windows\system32\Hbhdmd32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
89⤵
- Modifies registry class
PID:5384

C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
90⤵
PID:5428

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5476

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5508

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
93⤵
- Drops file in System32 directory
PID:5560

C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
94⤵
PID:5596

C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5640

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688

C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
97⤵
- Modifies registry class
PID:5728

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
98⤵
PID:5772

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
99⤵
- Drops file in System32 directory
PID:5824

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
100⤵
- Modifies registry class
PID:5868

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
101⤵
- Drops file in System32 directory
PID:5908

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
102⤵
- Drops file in System32 directory
PID:5976

C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016

C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6060

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
105⤵
- Modifies registry class
PID:6096

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
106⤵
PID:4932

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5152

C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
108⤵
PID:5232

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
109⤵
PID:5312

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
110⤵
PID:5408

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5452

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
112⤵
PID:5536

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
114⤵
- Drops file in System32 directory
PID:5696

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
115⤵
PID:5756

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5900

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
118⤵
PID:5972

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6036

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
120⤵
- Modifies registry class
PID:6112

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
121⤵
- Drops file in System32 directory
PID:5148

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
122⤵
PID:5288

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
123⤵
PID:5448

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
124⤵
PID:5516

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5668

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
127⤵
- Drops file in System32 directory
- Modifies registry class
PID:5932

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
128⤵
- Drops file in System32 directory
PID:6128

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
130⤵
PID:5524

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
131⤵
- Drops file in System32 directory
PID:5736

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
132⤵
- Drops file in System32 directory
PID:5964

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
133⤵
- Modifies registry class
PID:5320

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
134⤵
- Modifies registry class
PID:5568

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5916

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
136⤵
PID:5504

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
137⤵
- Modifies registry class
PID:5864

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5632

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
139⤵
- Drops file in System32 directory
- Modifies registry class
PID:5636

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6180

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6220

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
142⤵
- Modifies registry class
PID:6260

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6304

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
144⤵
- Drops file in System32 directory
- Modifies registry class
PID:6356

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
145⤵
- Modifies registry class
PID:6404

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
146⤵
- Modifies registry class
PID:6448

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
147⤵
PID:6488

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
148⤵
PID:6532

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
149⤵
PID:6572

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
150⤵
- Drops file in System32 directory
- Modifies registry class
PID:6620

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
151⤵
PID:6660

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
152⤵
- Drops file in System32 directory
- Modifies registry class
PID:6700

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
153⤵
PID:6744

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
154⤵
- Drops file in System32 directory
- Modifies registry class
PID:6788

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
155⤵
PID:6832

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6884

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
157⤵
- Modifies registry class
PID:6928

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6968

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
159⤵
PID:7020

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
160⤵
PID:7076

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
161⤵
- Drops file in System32 directory
PID:7120

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6196

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
164⤵
- Drops file in System32 directory
PID:6296

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6384

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6456

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
167⤵
PID:6524

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
168⤵
PID:6600

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
169⤵
PID:6716

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
170⤵
- Modifies registry class
PID:6812

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
171⤵
- Modifies registry class
PID:6936

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
172⤵
- Modifies registry class
PID:7012

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7084

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7164

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6244

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6372

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
177⤵
PID:6516

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
178⤵
- Modifies registry class
PID:6732

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
179⤵
- Drops file in System32 directory
PID:6820

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7000

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7156

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6228

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
183⤵
PID:6504

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6772

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7060

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6212

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
187⤵
PID:6564

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
188⤵
- Drops file in System32 directory
PID:7056

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6324

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
190⤵
PID:6188

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
191⤵
- Modifies registry class
PID:6028

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
192⤵
PID:7176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 408
193⤵
- Program crash
PID:7236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7176 -ip 7176
1⤵
PID:7204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe
Filesize
135KB

MD5
48ae5d4e54acd73d929ecfe9039b592c

SHA1
d77bba2a21952d37e0df4ff037d3594e95a1b9f3

SHA256
03328a6286da1d883b7475d498ee468652fc3cc1e16d18b31758881209186d29

SHA512
285b820a426254b8549bbf5a37459f563e87b3fa088e26001715dcab78d063494a1c8c66ce03290da537a6b11496b2eb50dad32254519aaad5c02de5220ceb34

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe
Filesize
135KB

MD5
0e8ef0ccc5de56f39e37e4ded6d22df5

SHA1
0c544ad74d743b2d6c273a35dd88bc2609910cec

SHA256
fc3fffa11a6da2d7a8d35b04462fed5cfb3c7eaedc9c53eede8d023c961a8978

SHA512
9a54230ef99e7da5988aa7bbbbb66df3f76e03026cfbab0bc62d12c00dfabbaddd3ccdc51efad41c73ac7f1c2b902d1715c1bc51df1fcd53b9dd74a555c7e025

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe
Filesize
135KB

MD5
0bc869ce7e69a1a59d868b640ec5956e

SHA1
9aad37beaac2854a69c1d246d9abb6aa29d11bbd

SHA256
45a03915d8d325c59ae185b08e7040e1e9c12944a53b3551cb217b3e6ff2982c

SHA512
e326d4bb974371d4b6dbe7df58fd85098ec31848c0071380823685317acca35a3cc93f840169e182dfb1e2a60dbb309d4328284f224539fc6d12e74c40f67264

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe
Filesize
135KB

MD5
af73e43da711ec67e97193803d294023

SHA1
10b4d300adcf85038ec91d05052ac6a53702f481

SHA256
f1ae4a2f14ba1da135c08ad8eed0fd97aebbe18cc6a3426303724171b421253b

SHA512
975b9233b97b9069d3755496b49973874eb36ab5b25a5f037e46f9baa8916985a6b1756a772a357e2921995ca2d11795cb274a4b4172936e63c56439adb3f96e

Download Submit
C:\Windows\SysWOW64\Chebighd.exe
Filesize
135KB

MD5
e883a075ed0af5e7630f8acf103a242e

SHA1
e6246f9985e057d2c8cc4217ee8b230c2bab1b45

SHA256
96be55defa38e60c877b87733de179764cc5b7a1e61e65cb8ca7969cc31937aa

SHA512
e094630bb42bb7d3c68460978eabff4bbf851ededc792a5d4b193148f9b98448334db5edf8a656201966b478a0e2a9670fdaf2037a31980236964e4b8dd257be

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe
Filesize
135KB

MD5
0c7b1148c07714411fee2487a514acc7

SHA1
5e8954751814eeae5c6078d1562c026c166bff06

SHA256
14b812e33d3d43e7b24de97b3ed272f89a5ff68bc773e35e10312da156e1d15a

SHA512
29dc17a60efce7356af66bb7c0fb36d56d1d0931075bd379eda0b5dc91f5b332d26a39a4e863be435a1460aabb857096142d60b4a116ef786f9c0b818f0cf1ca

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe
Filesize
135KB

MD5
aece4040849860557f56d467a7cb2381

SHA1
d390e1cdda1287e5b543819a106c7d21716244ab

SHA256
6f54080be87162ef7cdde50e2ba6695f71bcb790a391fc5e8d145f5e7c15819f

SHA512
0fb99cb0f4dde1f0cae777ff7e66bc71dce5b97685a5409ebae8a364baf7921f842c1593666ede038b84a9eff49803daf7328f11d960a74ca65d9d359515213d

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe
Filesize
135KB

MD5
9918d3031c0762526d7c06f1ce77d7c3

SHA1
238a57702fecf3f7870b9d01bd225383260fa546

SHA256
c8906e7df3acea43407b6902862e2617ee75020533c17c5402a27d88867c5db1

SHA512
84396bdc57ceed6b33536feaa182ee03a6458a21aca596b3ffae34d05f063f380543503a0c8af4766f5cd81aca06b507108912b5dad619cab93ebdc9e6217043

Download Submit
C:\Windows\SysWOW64\Commqb32.exe
Filesize
135KB

MD5
aeee466a0cd246910d31b1d17c15806c

SHA1
8c475ff2703e679c8ac35d5add787fc9043ed34d

SHA256
b49ff910060a50f29fad7af0e52b3a7e3139c0e22c741a8799b1e78a44880f38

SHA512
0bcc94bb6764e3e7c50274625a998635d80bff76802bc406e9026d866c7c4209675931296db0290b572d1525246569150fa1c54f08ec4c5467fabd33faad9fed

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe
Filesize
135KB

MD5
e982df6db0e0c001ab3f3dbc50810966

SHA1
74e15b65a68eb5521e4ba1d5a2b4637d1e6aa23e

SHA256
6b529464b657ab85230beee05f1d23fbe1f5f6e309be64e7b43678ddf72e6ad2

SHA512
a8a4b3e825e0649bdabebd7585da769475724b844ecd7cd68d8ff5b85fa9d2c4066f27c4ae299191d8d7b75716d4de47fc2de5fdfe1c843f7a5c397db77c468b

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe
Filesize
135KB

MD5
591bb0143fd2dfafb409c06d10b9fc2e

SHA1
9f6d30367fa30ceeb8e2cf756894bb7748e4ff54

SHA256
f550a8077ed644041a54f045b021380367181a3510a4d30a83ae8f2b5f4b110e

SHA512
6dff8514567b96d2c61c03669652e549548ce12ac24440dfd6d7b1717aec1fea513d63953f8ab90361fd94a506e9ff27ff7edd5e16af38940fd3c987d8f692f4

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe
Filesize
135KB

MD5
2912b26ee8b8471348ff202fcdedbd44

SHA1
c5331aaba37170ded588ad4f9cdcf970283858f4

SHA256
3587efd01091902d96a87e43be82dce726b06efefb3ee726f993ce128dea5b61

SHA512
62149584fc4fc841846b500e8915da6a8e9d7d0e061f4763e67440866c5db967e37419cfa9212dd9cf28eb8e79f6d0885d486087b6a7a33b0a0a56e624ba85df

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe
Filesize
135KB

MD5
18ee5b286a42992e6ff084a267ff5385

SHA1
b58d8e145410108d91e16af0b1923fa39ac592fd

SHA256
614e0a94b6dad6fc0b0bd4fa15733a80929eb982844da2915d8bd5054f608951

SHA512
ac5f198cfc1a2d8fdb4deb8d8808a226257c69107444c3daee2d49db5c563b1c86b84fca7da407b8337786bc74f2785cc4487c0d7fb3c90e0ae6379e068f99a2

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe
Filesize
135KB

MD5
92569ec4d02ca5f0c1f9a4008a68d284

SHA1
aaca75db3af72c6325a7faa1daf35c8bdabce6b2

SHA256
804e2a6d4472b9b0aa9dc846eec7190d988ab16108201b0d7ba4b999c44675f5

SHA512
5c05b2e9b4b799f83ea024e817bae4ee06b6a40f7a28fa25b595ddb57a59ea63d0ae27ff55e715d0e45005105581b05710641bd4c1bd6cb282ab880cf224c5ee

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe
Filesize
135KB

MD5
0830b086bfa407c521f7c7287788747b

SHA1
de2afce01f1f031de4dcb8085a82a0fa068e46a7

SHA256
95cbb6938b3a5a1f778528e92cbd09832ec93a1ffd19d5b50047e8a175fa1fb7

SHA512
d83d199e4470a8901f82aab19d6aba549ed5d5ec68be35184f19ac841c187bd343a6ab1d9e06a88a228de98a6af9439262056b67c78b569663b542f52c8842a0

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe
Filesize
135KB

MD5
63dc6a823f3f801e5a7aefd23b7bf907

SHA1
7562e97288ad8f452964681547f5d6f0bfeed876

SHA256
72c95e7d46d7171adb238761a6c5fb3d455693252c952f701fab060e4cb14931

SHA512
6eb80ac55870447c6352b2c2f5c3acc0f79a30a86f13e56cc685b57647d87f698656266d41bf5880d9699b6f0d74e26a9428132eb00c6ff133220dda86449a60

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe
Filesize
135KB

MD5
3a6ecf370416269495789dd67c914f6d

SHA1
3da8a8521e76079a23d3615556071043f369c7ed

SHA256
508f07d6388d35caac269a7950cba8065a7fc1d2d368f8e5df41df79c4202c7f

SHA512
42044233d02350beaaaa44dd6ef0a70dd1b8f4d661897872dd1940f9fece83bef779021415fce44edfd01803bce5c3a3db1f863bfcfbfc62b2504efd20ba0d7d

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe
Filesize
135KB

MD5
3694886a48a0f4de1d67827661a77fb9

SHA1
b9b8119a05a0c09fecfb63b8383d0bb1aecadd60

SHA256
579bcd233e8078f455c87b60a20e574b1a0c49de3000705b41cb962c39c5c177

SHA512
e367a83865f258d8316836bdb610cb78eae16520eb3128a43730985c2a0d4a34aa5943f0f755f63847747024dac3be989b3732ac2a62c687513a35eeb6923359

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe
Filesize
135KB

MD5
515c988f7672c6a35810bbfcae0031e2

SHA1
c3938cd25de0a3cb68887966f2c675657bea21c1

SHA256
054cd53c15ed09f6b7efc1cafb5dc14e2e16ad134568e77df5c40ebb327c87a4

SHA512
4da7fecfa8372fd2f2fcdea73b4b9707e173fe35565e6d71f5f6903ef7e5a6245188400bd1bdcc5e50c85dae940892af220422e543a216894994bf5efb26f949

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe
Filesize
135KB

MD5
ed9cbd9e27f25383f6d4f69cba88f9de

SHA1
7b8823bfb54ef57856127312fd341aedaa336ccc

SHA256
e1ec2049ddad53ea3bd3e1bfb45221933b69b8c03b4a5700c66f9b1baf760d53

SHA512
caaabb42160a6c7bacec79344af302458d7ee7169e4308ed17ff339c0c81f94902dbb7625df60a04f1e4d6b23c5ede34f6e8f1b5577ffd6979b93f7c35e487c3

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe
Filesize
135KB

MD5
1f793e96d38ce305a047e777f3a9231b

SHA1
6bdd3b74124f85165eced90b7ef16a5861bf76f1

SHA256
a916e8c70bc741c07359bb7ee41dffff93d3b8a89d4f4ad4d6f6af98e39d3301

SHA512
103e0d98c0d6a13b553d320b3aa7c3cb1d799d7e4ee535a275a2decc4651f1aa6de12a57087fd65cf1315fbb103020528813a1c1cc4134867d12c40ed15f4d54

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe
Filesize
135KB

MD5
7efb70255e75de73c07cf339958dd0ad

SHA1
9eec56785299669a08948a2d355bf67320e48126

SHA256
969cf67c6bc928ac2fc12f742179c3cbfea1c84e92249f30afed56799b4d5968

SHA512
ee21213bc0d5db4b622fc6cdbcf92604d15b69014c886594649c20e647b347f082f4b251d5e7cb552837f438b16c7061566e78cb3faa7285df26eaa62699d873

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe
Filesize
135KB

MD5
110e8fef3cfebb292ec458e3bb49aeef

SHA1
20b3b027406863b493381a21a53476003a151c9e

SHA256
24890c2993e6cea39aeb3a4e150fffb842ed9b5fc7512638a6dcee493842b720

SHA512
711d0f3402c0a82c9989420b1eabcae3b10b614db75d4546c9f01418c9d9c4399f52fb14025154da3f79003cd037c19c4d61ce00d4b88efd2b5fa9b75fdc1c8b

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe
Filesize
135KB

MD5
7d042bd29b94c3da87d0b748a0fa5dad

SHA1
edb286beb0a2bbc07961d94a176e64f3e49a2ab0

SHA256
ef73461cc25fcb4270690f9e3af4e8f1b40974fea3b6ab328e1064b92cdd272f

SHA512
0e1a3a4ea5962f2b4212fda92cbd857a1c26cbc982f97e91543e2c9c67984e299dd8b8a84dfa42f6207553a0e83d992354609bc19a36a47f3711891dc40dbf13

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe
Filesize
135KB

MD5
9603799d5f50b0db87da480bfc428d0b

SHA1
92a1dc042d63102e13cfcd01a3a7674ff405288a

SHA256
431536870da97d89a9ca340d64e70c59b71de7d1359d46cca6cdf47061f262b3

SHA512
07b9e8db215049732a1099d94d4b9931e3a296b24cf13bdf318688857a29e566a2f6c89f760001a422a05db964a98864af6c48bc3953849f2af58234e9d11e24

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe
Filesize
135KB

MD5
a1c3e967df00b0bcaf1bd780f8d3c8ee

SHA1
484a11a9e093a080391204e910cf0b2b581a9166

SHA256
648ad2dbb08c381399f7c71505f57652d4cbbca905b5e0b9c4574b2fdb0a10fe

SHA512
9cb8e478554304d04388bb9044d6af3525e28b62ba5dd74322f8087de4d7ddbf0663c897d137365d7fb6c8b82f3e29983e95de96047cc2f12d1451d448b0b88c

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe
Filesize
135KB

MD5
a0a26657551e1ccf9a05b1e52463f73d

SHA1
f04b268752985c8215784e0f4df072f9447f7772

SHA256
c7cc09228fab78ee2ffdf21615be8bbdae89f99aec3d6b79a7e4175d9ca1e8aa

SHA512
99b9d27a4344415076c248300d3f9e460e34913eb39ff37bea00fb27090dc4c72608aeb5975bdd7714209bea9db04d3edee7aa05aada3af4b673ba344f811094

Download Submit
C:\Windows\SysWOW64\Efikji32.exe
Filesize
135KB

MD5
e9dcad8ff5dde156d126c571c385edc8

SHA1
6d8d7dcc9a826553aeacfce3e372cde490d18304

SHA256
16c5dff0a3b1cb9443d52edf8ff28008727b74f01d93e55d657b764d2f081708

SHA512
bc415d7b6f74fcd85b4f31a11464e60ecca762f2620470218842ee7b34a289e9882e78f3f951d63407cd310956a4896d89606b5ef1bd388956f16066689cb5d7

Download Submit
C:\Windows\SysWOW64\Efneehef.exe
Filesize
135KB

MD5
5c2f8a1620032c700d073d8b51815fa3

SHA1
ffbac308f8fba60c8a3aaee18e98d2f12010b50d

SHA256
3cf95ceb465e00a13f15512ee27e6411704546e23906d97fba8ba6f18f7b8a22

SHA512
8f1269db77ecb1e0802990a1c8ce40267c49cecb318706b8194df6a730bda86a2ae35e6c9590734e1424b589a3c79b064d579dce4b75bea40ed5cb4146a0b869

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe
Filesize
135KB

MD5
798ce92c4f122eb2f96efb9832ee9018

SHA1
a015c1e6eabce06c1516b686c4a209c24468961b

SHA256
ba69e6084236ec447d99c51ed55ecf4f173bf88c7f57b6b84f9ee585a7e773d9

SHA512
10544c625d41a4ed1f6a020551e850ed1d75174f583f3ea948c41d3091cb611e3c2b805a14177be31cc7c92c656d074c3c7f4fe326c637a385bab21c744801c2

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe
Filesize
135KB

MD5
c28155fbada3fe3d6712548ae681d67d

SHA1
02a1d0a6377a2e09a939dd575b2eede65ba84bac

SHA256
4e4b58ebfebeaba5cc5d7c659ec2cee1b049aec9753a8239f9640d98b9e79066

SHA512
005bc12fa32f9ba495607cbcba514aaa1ecbfbcfda6a4f4777d279b504d8819105615da982ad792f83049f9e08acebce3921d79a2e848a001a264a06b543c8bf

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe
Filesize
135KB

MD5
f05c390c69aaeb37b2bad358aba687c5

SHA1
83e3aba70bf01bbe30093b3542661a34ca4b4a1d

SHA256
abb2f49931a8d534379fae2342390b82144c4b6b65a932823eafa8caf8d791d4

SHA512
7e507bc7c286ffa67e416075951090d46dbcdb49d007fbfca151b40a1e579e0695fbe33e0673c5dac3d6e41cd83a490b7862530121d038a013bbf5cee9a359ca

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe
Filesize
135KB

MD5
b08198be9363bfbb121b286d16b94285

SHA1
0f666a38be063eea1387047c8afd0e3756fec71f

SHA256
0223d67ae9261ee2ac6530a70565e4b5464403810e93b9f035867b5c637097a2

SHA512
6b8bc276c78acace0af8b4903b239ce8a18630c6aadb7336ff4c537ecbf94def971e13655f42ee56be6e17914307670e8a7ac7b515eb09e0873574f5cf02bfd2

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe
Filesize
135KB

MD5
7d224c96633886c2a4681fb0ac9889ce

SHA1
8d7eac788805ce1e48e27953d1edca6373bf3dff

SHA256
7efe6bdeda61eee96d9c67e37f48dd251bd409f74c30263f0524195aadfd07ab

SHA512
b95767a8eccd6308f2dbd4cfc56168f4788d30e576cd347076d0a2c0261db88254f5fba737ff9bc57d6616201312e4308332e232534f49fc9b6769d62b1f9029

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
64KB

MD5
8384a9164de42ea3d7bfb0f6c907831e

SHA1
7dc7704d148170a963392224abd41740da2719b6

SHA256
23ac1f816d5fddd7857f5f8a00da81846293b92d75fe909c954c1122dc540a03

SHA512
b2ddb8f402058cfb765eab1e878b9f85e04a3d1168b33a602be5ec876c8e8c6357dbd820def773e61a276372f1c86a7b50bde13f0b27e7f41c719824d8bee0d2

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
135KB

MD5
4ecbf5b6c512d511ab6aac1865c0686c

SHA1
dc17bdad3c7bc5aff1159c69e5cc32b4f881a9ea

SHA256
692e0dfd9ca41b2144c9846755eeb9c6332391f09ec6d97e3539c5a4ad2271cb

SHA512
4c6d12086ce9a208468a65d10c6b2de6233a42dcc47ea867bc66f8da930a67172613c6b03ce41d23f0b2fb68c5b235877bb4bd96c89baf5ea5a001cc19f388fa

Download Submit
memory/764-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1064-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1908-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3352-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3356-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3380-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4176-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4356-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4608-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4684-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4708-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4836-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4904-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download