086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb

Analysis

max time kernel
136s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe
Size

94KB
MD5

0dc0d4fc293faa43bbc23b53788e9f70
SHA1

cfab56e8c991cf46ef97b32537fc778b06e4df9a
SHA256

086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb
SHA512

36dc4f0bb0e8fc6a58b9a19df7ed07895719144556cede6e8dfa0eb92c2e174b6d810c52d13cd1606ea4cbfe032ec3c224f278181b00971258a4f91bb007ae58
SSDEEP

1536:hbwG3pr0H6FF9JhFLaRN5t1f6b1hf2LiaIZTJ+7LhkiB0MPiKeEAgv:R7J2u7La1tQKiaMU7uihJ5v

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exeHbanme32.exeHmfbjnbp.exeHfcpncdk.exeIpldfi32.exeIpegmg32.exeJfdida32.exeMciobn32.exeMnfipekh.exeNnjbke32.exeHboagf32.exeIjkljp32.exeKpjjod32.exeNkjjij32.exeHjfihc32.exeHadkpm32.exeIfhiib32.exeIannfk32.exeJjpeepnb.exeKdopod32.exeMjcgohig.exeIfjfnb32.exeKmlnbi32.exeGppekj32.exeJdhine32.exeKmegbjgn.exeLdaeka32.exeHmdedo32.exeKmgdgjek.exeNjljefql.exeNqklmpdd.exeJaimbj32.exeKaemnhla.exeNklfoi32.exeLaefdf32.exeMkbchk32.exeNcgkcl32.exeNcldnkae.exeLgneampk.exeGmoliohh.exeKkkdan32.exeJfffjqdf.exeKgdbkohf.exeLiggbi32.exeLpappc32.exeNnmopdep.exeMpkbebbf.exeGfedle32.exeIikopmkd.exeIabgaklg.exeIfopiajn.exeHfofbd32.exeKbdmpqcb.exeIiibkn32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe

Malware Dropper & Backdoor - Berbew 41 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Gfedle32.exe	family_berbew
C:\Windows\SysWOW64\Gmoliohh.exe	family_berbew
C:\Windows\SysWOW64\Gpnhekgl.exe	family_berbew
C:\Windows\SysWOW64\Gfhqbe32.exe	family_berbew
C:\Windows\SysWOW64\Gifmnpnl.exe	family_berbew
C:\Windows\SysWOW64\Gppekj32.exe	family_berbew
C:\Windows\SysWOW64\Hboagf32.exe	family_berbew
C:\Windows\SysWOW64\Hjfihc32.exe	family_berbew
C:\Windows\SysWOW64\Hmdedo32.exe	family_berbew
C:\Windows\SysWOW64\Hpbaqj32.exe	family_berbew
C:\Windows\SysWOW64\Hbanme32.exe	family_berbew
C:\Windows\SysWOW64\Hjhfnccl.exe	family_berbew
C:\Windows\SysWOW64\Hmfbjnbp.exe	family_berbew
C:\Windows\SysWOW64\Hfofbd32.exe	family_berbew
C:\Windows\SysWOW64\Hadkpm32.exe	family_berbew
C:\Windows\SysWOW64\Hccglh32.exe	family_berbew
C:\Windows\SysWOW64\Hjmoibog.exe	family_berbew
C:\Windows\SysWOW64\Hippdo32.exe	family_berbew
C:\Windows\SysWOW64\Hfcpncdk.exe	family_berbew
C:\Windows\SysWOW64\Hibljoco.exe	family_berbew
C:\Windows\SysWOW64\Ipldfi32.exe	family_berbew
C:\Windows\SysWOW64\Iidipnal.exe	family_berbew
C:\Windows\SysWOW64\Ipnalhii.exe	family_berbew
C:\Windows\SysWOW64\Ifhiib32.exe	family_berbew
C:\Windows\SysWOW64\Iannfk32.exe	family_berbew
C:\Windows\SysWOW64\Ibojncfj.exe	family_berbew
C:\Windows\SysWOW64\Ifjfnb32.exe	family_berbew
C:\Windows\SysWOW64\Iiibkn32.exe	family_berbew
C:\Windows\SysWOW64\Iapjlk32.exe	family_berbew
C:\Windows\SysWOW64\Ibagcc32.exe	family_berbew
C:\Windows\SysWOW64\Iikopmkd.exe	family_berbew
C:\Windows\SysWOW64\Ijhodq32.exe	family_berbew
C:\Windows\SysWOW64\Jfffjqdf.exe	family_berbew
C:\Windows\SysWOW64\Jdjfcecp.exe	family_berbew
C:\Windows\SysWOW64\Kgdbkohf.exe	family_berbew
C:\Windows\SysWOW64\Kpmfddnf.exe	family_berbew
C:\Windows\SysWOW64\Lnhmng32.exe	family_berbew
C:\Windows\SysWOW64\Lcgblncm.exe	family_berbew
C:\Windows\SysWOW64\Mpkbebbf.exe	family_berbew
C:\Windows\SysWOW64\Mpdelajl.exe	family_berbew
C:\Windows\SysWOW64\Nacbfdao.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Gfedle32.exeGmoliohh.exeGpnhekgl.exeGfhqbe32.exeGifmnpnl.exeGppekj32.exeHboagf32.exeHjfihc32.exeHmdedo32.exeHpbaqj32.exeHbanme32.exeHjhfnccl.exeHmfbjnbp.exeHfofbd32.exeHadkpm32.exeHccglh32.exeHjmoibog.exeHippdo32.exeHfcpncdk.exeHibljoco.exeIpldfi32.exeIidipnal.exeIpnalhii.exeIfhiib32.exeIannfk32.exeIbojncfj.exeIfjfnb32.exeIiibkn32.exeIapjlk32.exeIbagcc32.exeIjhodq32.exeIikopmkd.exeIabgaklg.exeIpegmg32.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeJpgdbg32.exeJdcpcf32.exeJfaloa32.exeJmkdlkph.exeJpjqhgol.exeJfdida32.exeJjpeepnb.exeJaimbj32.exeJplmmfmi.exeJdhine32.exeJfffjqdf.exeJidbflcj.exeJmpngk32.exeJdjfcecp.exeJfhbppbc.exeJigollag.exeJdmcidam.exeJfkoeppq.exeKmegbjgn.exeKaqcbi32.exeKdopod32.exeKgmlkp32.exeKmgdgjek.exeKbdmpqcb.exeKkkdan32.exeKaemnhla.exeKgbefoji.exe

pid	process
2536	Gfedle32.exe
2072	Gmoliohh.exe
3308	Gpnhekgl.exe
2364	Gfhqbe32.exe
644	Gifmnpnl.exe
2824	Gppekj32.exe
4588	Hboagf32.exe
3132	Hjfihc32.exe
2548	Hmdedo32.exe
1376	Hpbaqj32.exe
468	Hbanme32.exe
3888	Hjhfnccl.exe
2864	Hmfbjnbp.exe
4008	Hfofbd32.exe
388	Hadkpm32.exe
1592	Hccglh32.exe
916	Hjmoibog.exe
2276	Hippdo32.exe
4568	Hfcpncdk.exe
4684	Hibljoco.exe
2188	Ipldfi32.exe
1336	Iidipnal.exe
1212	Ipnalhii.exe
4576	Ifhiib32.exe
3884	Iannfk32.exe
4456	Ibojncfj.exe
3284	Ifjfnb32.exe
3564	Iiibkn32.exe
2196	Iapjlk32.exe
3512	Ibagcc32.exe
3312	Ijhodq32.exe
4512	Iikopmkd.exe
2752	Iabgaklg.exe
816	Ipegmg32.exe
1300	Idacmfkj.exe
1832	Ifopiajn.exe
4704	Ijkljp32.exe
1680	Jpgdbg32.exe
2748	Jdcpcf32.exe
1304	Jfaloa32.exe
1372	Jmkdlkph.exe
1420	Jpjqhgol.exe
908	Jfdida32.exe
4632	Jjpeepnb.exe
2464	Jaimbj32.exe
2088	Jplmmfmi.exe
4600	Jdhine32.exe
4904	Jfffjqdf.exe
4012	Jidbflcj.exe
3556	Jmpngk32.exe
4524	Jdjfcecp.exe
1008	Jfhbppbc.exe
5108	Jigollag.exe
4796	Jdmcidam.exe
1984	Jfkoeppq.exe
4404	Kmegbjgn.exe
4628	Kaqcbi32.exe
2064	Kdopod32.exe
632	Kgmlkp32.exe
3644	Kmgdgjek.exe
2708	Kbdmpqcb.exe
2728	Kkkdan32.exe
5116	Kaemnhla.exe
2544	Kgbefoji.exe

Drops file in System32 directory 64 IoCs

Processes:

Ifopiajn.exeIdacmfkj.exeJpjqhgol.exeHadkpm32.exeJmpngk32.exeJfkoeppq.exeKkkdan32.exeMpkbebbf.exeNqiogp32.exeNjacpf32.exeHjfihc32.exeJdjfcecp.exeKgmlkp32.exeKgbefoji.exeLiekmj32.exeLaefdf32.exeGfhqbe32.exeKdopod32.exeMnapdf32.exeNkjjij32.exeIikopmkd.exeKgdbkohf.exeKgfoan32.exeIapjlk32.exeHjmoibog.exeIfjfnb32.exeIbagcc32.exeJfffjqdf.exeKpjjod32.exeNjljefql.exeNgedij32.exeIannfk32.exeKmegbjgn.exeLaalifad.exeLdaeka32.exeIjkljp32.exeJjpeepnb.exeKpmfddnf.exeNnolfdcn.exeHpbaqj32.exeIpnalhii.exeJfaloa32.exeLphfpbdi.exeNnjbke32.exeGpnhekgl.exeKaqcbi32.exeKmnjhioc.exeLdohebqh.exeLnhmng32.exeMnfipekh.exeJfdida32.exeLmqgnhmp.exeLiggbi32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5872 5708 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5872	5708	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kmlnbi32.exeLiekmj32.exeIannfk32.exeJplmmfmi.exeJidbflcj.exeNcgkcl32.exeJdcpcf32.exeLdaeka32.exeLphfpbdi.exeKkkdan32.exeIiibkn32.exeJfhbppbc.exeJdmcidam.exeJfffjqdf.exeKaqcbi32.exeKpjjod32.exeHfofbd32.exeIbagcc32.exeIdacmfkj.exeJfkoeppq.exeKgdbkohf.exeLcgblncm.exeMjqjih32.exeMnfipekh.exeGppekj32.exeHmdedo32.exeHpbaqj32.exeNcldnkae.exeIikopmkd.exeLcmofolg.exeLgneampk.exeMnocof32.exeIpegmg32.exeLaefdf32.exeIfhiib32.exeNjljefql.exeGfhqbe32.exeLnhmng32.exeMpkbebbf.exeIpnalhii.exeIfjfnb32.exeLmqgnhmp.exeIjhodq32.exeJdhine32.exeKgbefoji.exeMcklgm32.exe086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exeKdopod32.exeNqmhbpba.exeGpnhekgl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gpnhekgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exeGfedle32.exeGmoliohh.exeGpnhekgl.exeGfhqbe32.exeGifmnpnl.exeGppekj32.exeHboagf32.exeHjfihc32.exeHmdedo32.exeHpbaqj32.exeHbanme32.exeHjhfnccl.exeHmfbjnbp.exeHfofbd32.exeHadkpm32.exeHccglh32.exeHjmoibog.exeHippdo32.exeHfcpncdk.exeHibljoco.exeIpldfi32.exe

description	pid	process	target process
PID 384 wrote to memory of 2536	384	086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe	Gfedle32.exe
PID 384 wrote to memory of 2536	384	086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe	Gfedle32.exe
PID 384 wrote to memory of 2536	384	086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe	Gfedle32.exe
PID 2536 wrote to memory of 2072	2536	Gfedle32.exe	Gmoliohh.exe
PID 2536 wrote to memory of 2072	2536	Gfedle32.exe	Gmoliohh.exe
PID 2536 wrote to memory of 2072	2536	Gfedle32.exe	Gmoliohh.exe
PID 2072 wrote to memory of 3308	2072	Gmoliohh.exe	Gpnhekgl.exe
PID 2072 wrote to memory of 3308	2072	Gmoliohh.exe	Gpnhekgl.exe
PID 2072 wrote to memory of 3308	2072	Gmoliohh.exe	Gpnhekgl.exe
PID 3308 wrote to memory of 2364	3308	Gpnhekgl.exe	Gfhqbe32.exe
PID 3308 wrote to memory of 2364	3308	Gpnhekgl.exe	Gfhqbe32.exe
PID 3308 wrote to memory of 2364	3308	Gpnhekgl.exe	Gfhqbe32.exe
PID 2364 wrote to memory of 644	2364	Gfhqbe32.exe	Gifmnpnl.exe
PID 2364 wrote to memory of 644	2364	Gfhqbe32.exe	Gifmnpnl.exe
PID 2364 wrote to memory of 644	2364	Gfhqbe32.exe	Gifmnpnl.exe
PID 644 wrote to memory of 2824	644	Gifmnpnl.exe	Gppekj32.exe
PID 644 wrote to memory of 2824	644	Gifmnpnl.exe	Gppekj32.exe
PID 644 wrote to memory of 2824	644	Gifmnpnl.exe	Gppekj32.exe
PID 2824 wrote to memory of 4588	2824	Gppekj32.exe	Hboagf32.exe
PID 2824 wrote to memory of 4588	2824	Gppekj32.exe	Hboagf32.exe
PID 2824 wrote to memory of 4588	2824	Gppekj32.exe	Hboagf32.exe
PID 4588 wrote to memory of 3132	4588	Hboagf32.exe	Hjfihc32.exe
PID 4588 wrote to memory of 3132	4588	Hboagf32.exe	Hjfihc32.exe
PID 4588 wrote to memory of 3132	4588	Hboagf32.exe	Hjfihc32.exe
PID 3132 wrote to memory of 2548	3132	Hjfihc32.exe	Hmdedo32.exe
PID 3132 wrote to memory of 2548	3132	Hjfihc32.exe	Hmdedo32.exe
PID 3132 wrote to memory of 2548	3132	Hjfihc32.exe	Hmdedo32.exe
PID 2548 wrote to memory of 1376	2548	Hmdedo32.exe	Hpbaqj32.exe
PID 2548 wrote to memory of 1376	2548	Hmdedo32.exe	Hpbaqj32.exe
PID 2548 wrote to memory of 1376	2548	Hmdedo32.exe	Hpbaqj32.exe
PID 1376 wrote to memory of 468	1376	Hpbaqj32.exe	Hbanme32.exe
PID 1376 wrote to memory of 468	1376	Hpbaqj32.exe	Hbanme32.exe
PID 1376 wrote to memory of 468	1376	Hpbaqj32.exe	Hbanme32.exe
PID 468 wrote to memory of 3888	468	Hbanme32.exe	Hjhfnccl.exe
PID 468 wrote to memory of 3888	468	Hbanme32.exe	Hjhfnccl.exe
PID 468 wrote to memory of 3888	468	Hbanme32.exe	Hjhfnccl.exe
PID 3888 wrote to memory of 2864	3888	Hjhfnccl.exe	Hmfbjnbp.exe
PID 3888 wrote to memory of 2864	3888	Hjhfnccl.exe	Hmfbjnbp.exe
PID 3888 wrote to memory of 2864	3888	Hjhfnccl.exe	Hmfbjnbp.exe
PID 2864 wrote to memory of 4008	2864	Hmfbjnbp.exe	Hfofbd32.exe
PID 2864 wrote to memory of 4008	2864	Hmfbjnbp.exe	Hfofbd32.exe
PID 2864 wrote to memory of 4008	2864	Hmfbjnbp.exe	Hfofbd32.exe
PID 4008 wrote to memory of 388	4008	Hfofbd32.exe	Hadkpm32.exe
PID 4008 wrote to memory of 388	4008	Hfofbd32.exe	Hadkpm32.exe
PID 4008 wrote to memory of 388	4008	Hfofbd32.exe	Hadkpm32.exe
PID 388 wrote to memory of 1592	388	Hadkpm32.exe	Hccglh32.exe
PID 388 wrote to memory of 1592	388	Hadkpm32.exe	Hccglh32.exe
PID 388 wrote to memory of 1592	388	Hadkpm32.exe	Hccglh32.exe
PID 1592 wrote to memory of 916	1592	Hccglh32.exe	Hjmoibog.exe
PID 1592 wrote to memory of 916	1592	Hccglh32.exe	Hjmoibog.exe
PID 1592 wrote to memory of 916	1592	Hccglh32.exe	Hjmoibog.exe
PID 916 wrote to memory of 2276	916	Hjmoibog.exe	Hippdo32.exe
PID 916 wrote to memory of 2276	916	Hjmoibog.exe	Hippdo32.exe
PID 916 wrote to memory of 2276	916	Hjmoibog.exe	Hippdo32.exe
PID 2276 wrote to memory of 4568	2276	Hippdo32.exe	Hfcpncdk.exe
PID 2276 wrote to memory of 4568	2276	Hippdo32.exe	Hfcpncdk.exe
PID 2276 wrote to memory of 4568	2276	Hippdo32.exe	Hfcpncdk.exe
PID 4568 wrote to memory of 4684	4568	Hfcpncdk.exe	Hibljoco.exe
PID 4568 wrote to memory of 4684	4568	Hfcpncdk.exe	Hibljoco.exe
PID 4568 wrote to memory of 4684	4568	Hfcpncdk.exe	Hibljoco.exe
PID 4684 wrote to memory of 2188	4684	Hibljoco.exe	Ipldfi32.exe
PID 4684 wrote to memory of 2188	4684	Hibljoco.exe	Ipldfi32.exe
PID 4684 wrote to memory of 2188	4684	Hibljoco.exe	Ipldfi32.exe
PID 2188 wrote to memory of 1336	2188	Ipldfi32.exe	Iidipnal.exe

C:\Users\Admin\AppData\Local\Temp\086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe
"C:\Users\Admin\AppData\Local\Temp\086a33b4509e799d00c3556550308c371180612ed93933361bbb295dd3f00ecb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\Gfedle32.exe
C:\Windows\system32\Gfedle32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\Gmoliohh.exe
C:\Windows\system32\Gmoliohh.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\Gpnhekgl.exe
C:\Windows\system32\Gpnhekgl.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\Gfhqbe32.exe
C:\Windows\system32\Gfhqbe32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\Gifmnpnl.exe
C:\Windows\system32\Gifmnpnl.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\Gppekj32.exe
C:\Windows\system32\Gppekj32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Hboagf32.exe
C:\Windows\system32\Hboagf32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\Hbanme32.exe
C:\Windows\system32\Hbanme32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\Hjhfnccl.exe
C:\Windows\system32\Hjhfnccl.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\Hmfbjnbp.exe
C:\Windows\system32\Hmfbjnbp.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\Hfcpncdk.exe
C:\Windows\system32\Hfcpncdk.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
23⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1212

C:\Windows\SysWOW64\Ifhiib32.exe
C:\Windows\system32\Ifhiib32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4576

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3884

C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
27⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3564

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3512

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
32⤵
- Executes dropped EXE
- Modifies registry class
PID:3312

C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4512

C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:816

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1300

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1832

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4704

C:\Windows\SysWOW64\Jpgdbg32.exe
C:\Windows\system32\Jpgdbg32.exe
39⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:2748

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
42⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:908

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4632

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:2088

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4904

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
50⤵
- Executes dropped EXE
- Modifies registry class
PID:4012

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3556

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:1008

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
54⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1984

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4404

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4628

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2064

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3644

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2728

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2544

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3476

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2004

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
68⤵
PID:3272

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
70⤵
- Drops file in System32 directory
PID:2628

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
71⤵
- Drops file in System32 directory
PID:4468

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
72⤵
- Drops file in System32 directory
PID:2952

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
73⤵
- Drops file in System32 directory
- Modifies registry class
PID:4340

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
74⤵
- Drops file in System32 directory
- Modifies registry class
PID:4928

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
75⤵
- Modifies registry class
PID:3480

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4820

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
78⤵
PID:3116

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
79⤵
- Drops file in System32 directory
PID:4580

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
80⤵
- Drops file in System32 directory
PID:3032

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3396

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1364

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3612

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
84⤵
PID:3620

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2132

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
87⤵
- Modifies registry class
PID:2972

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
88⤵
- Modifies registry class
PID:2172

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1564

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
92⤵
- Modifies registry class
PID:5212

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
93⤵
- Modifies registry class
PID:5256

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
95⤵
- Drops file in System32 directory
PID:5348

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
96⤵
PID:5392

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
97⤵
PID:5436

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5500

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
99⤵
PID:5572

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5612

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5652

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
102⤵
PID:5696

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
103⤵
PID:5740

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
105⤵
PID:5832

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5876

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
107⤵
- Drops file in System32 directory
PID:5920

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5968

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
109⤵
PID:6028

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
110⤵
- Drops file in System32 directory
PID:6088

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
113⤵
PID:5220

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
114⤵
- Drops file in System32 directory
PID:5284

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
115⤵
PID:5364

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
116⤵
- Drops file in System32 directory
PID:5452

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
117⤵
- Modifies registry class
PID:5552

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5648

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
119⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 408
120⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5708 -ip 5708
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gfedle32.exe

Filesize
94KB

MD5
2c2598167bdc5550c57f8447bbd4c837

SHA1
881fd0efd6f7f6cce95668e85cb7bbf5b22ecbc6

SHA256
84860119abf2d51f8c9707b1d3e29da374ba14342e0988e12873046c9d906f76

SHA512
d38cb9eb500b62426876ba4da1ca25cab42627052349c3f34d39d638b997d5b262eedac7771628c2bacabc49cbd70bcfe615e97beea64c455a3b64dab23048ba

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
94KB

MD5
a11093f4f64e230ce0564a6135a935b0

SHA1
ca79bca70f2c359e1f217599680f9a40e4f8e82a

SHA256
15359abdb35fb40ff6b2957199d8a56bf60b9181cf9ebe38a627330ba4185c37

SHA512
898ab1d66dfe39942246261e63df9cbe3effb0e3c05a13d43e7b555486d2c5cf5ada1793ff3ed552514e63df632bb8d0e0db62e9d4b88983426964b06c1bdadf

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
94KB

MD5
ef224a9b87cd5309807fc7f655383c4e

SHA1
71ac17005d4da7ccc8a0ff47fb04506c52c11641

SHA256
2ad36db7eecbe5b31f6965b45023ec1c8df9e3b1e9ce16cf0112e2639f2a506a

SHA512
ec8f513a20428dac28da1fab62a623ff597f460ac3ec0446bc9216f7626883e5a673b7eb95750258939c9627cc1bbd226d82075d2dc26c464411dcdf18bae333

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
94KB

MD5
4223ae7cc9872be0575be9e423e4de2f

SHA1
f10065384f98f74f387f88f7a7cc4289eea4eda6

SHA256
1d943922a642ca7370f5cef912996151ee38ee05798f22a4e38766be7372c750

SHA512
ec77d014587dea36a81294ae2c24c7d83062cb954fc4a0ff78bed306a764def0df48e56ce45369adb21d7588a51141af5ed1aeb9b2618da6921af8aa7cc7e17b

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
94KB

MD5
a71e6e3d966d5ea6d2b37ad580ff9709

SHA1
35af853ee936c7f7b2dd52956171b9c10a3031b3

SHA256
0b2ed1699838ac5efffd73e1278ac915f1fb5f9c8c3fc354bbd2fba0fea64a5d

SHA512
b72440a878fa66542f5ac5b346f8a575e735d3927397fd0c0dd21823024d3718ae5aec420beb30c3541e15d3cc92678d532ace359ddefeca1e5d92dad8c3bdb7

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
94KB

MD5
1c879ee8d5d0ae7e76e17779c6697ab1

SHA1
5eedcf2c206a84eb519506121a4ad8dab0af5c5b

SHA256
9b15b4648735d6449c1bf5b4361d704aa4c95ac928e93cf0a9a43f6a4ede41cd

SHA512
672f737250b4aef7533e24772154d746f856e8b5b08a6d3c35a7804f6f962b8437bac2e72a6745d34211abc92c880d4f162a78895c12326ac37bc4dd19beabd7

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
94KB

MD5
27312714f08f4eb1f8340632fcbc1463

SHA1
9c69584ddbeedcf3da66cac8b2046d3cd343f71d

SHA256
7672520822ac68a6cdd2e8ffaa88b1f1679898e722f740f695ab62cbd782c326

SHA512
1336e7bbd7053afcf0b5585905153c2133fcf3f037eba552daf18c1a8d5bd2e62828c0b0f56da90334aa358e784b2ea92685a9e198b179cfd37779255211413a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
94KB

MD5
1b8854bb86979e5cbfc52db87bdc3c38

SHA1
17584ddc15c8515de43a2dff9589a0bc03c32f5b

SHA256
0e24f7142db206d7d8998307ea5e927314511989bcb15c512649707e74974fae

SHA512
4bb91b1d887e555090a5377df8204a2f91fdd154668472b88e61319b8f932a272d625391b00bc4ce78305e93d21f9257597f8eb5885021c2f552c573317f3f05

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
94KB

MD5
0f1081bc151f6b9bc07324ee0ca47622

SHA1
d978742f05fd82c5308b36309acf6ab630e634ce

SHA256
8b7b8d9e0b05d6f14ad546eec36b5035bfe11c35d85edd0cd36ce8cd6592ef79

SHA512
5643fda1d80a7d77f0c65093da08df149f805183724f70f6a65137e39aa8697681cc1fa0322641f0021fe655ee98708366a6d085ff13b948c76a4f0a39ff8172

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
94KB

MD5
8433648b61b8a7ce559e975a5ce18c36

SHA1
a0b72557d879f9b8fe68413374ff4562470d2231

SHA256
d94041055df5fbb3650df554c6a45e321403121201f463aec833cbf6559bb7e0

SHA512
f95761dc8405a5c00f54c49490afb721a5461b17c7d9cfcfe90979d823cde2fd53f3901063e343bae02c6f22702a027418548698d3e7209a74aed204ca495460

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
94KB

MD5
0637844c152430033b88f82251a9a007

SHA1
3ef715129380c7e791de5479a87e4222f5823b9c

SHA256
fa10a4eab32ed54784e9d96261fea3e507a926db1f215ee7eec35d64eaca523d

SHA512
ab02893004536dadee21b538dc88a275aa722d24be6b80ad5ba35e91758a22b2c64f1c4a05d1c9d8777f7825e3291e39e1f8dac7d2b0fa0356a084e48e5cd6f0

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
94KB

MD5
5dd0704117cdc5fa00e74136942720e5

SHA1
cc9cf56bc2d8080dbe4ed10bdd6addff476c9dd4

SHA256
00d59c3367a4cbe568f0b21965096cc59d0dc462e69fd6a0bc79c442040680aa

SHA512
c8ba9b4328468c8f89b6928cddccaf96e240bd365a408c6548a083bdfcaed2b933d7c5a7845f146dfef8ff91c9ac7a2b8b96ebdc80a55a7384eb2c2ab6f3cd21

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
94KB

MD5
d9262471efdf01482cc1586a16e753cf

SHA1
28bf283065564cc382219c20b44cb018e3c7bb49

SHA256
16829631eea7829a99495d9572b7d543883a3f5f7ea165ee760b0639942b8276

SHA512
d86a5c0aacdf6ddf0baa71892344efe150427ae303a61ddb085e425082eddf3a71d18f4f89fb4b1a73e58190985af95b8f3a376e5306beee9ae056673d647762

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
94KB

MD5
e820669536bf1cbe885d3239391393ca

SHA1
b24b3a5080756aeaac1d23b41f3e9491963c4901

SHA256
f1ae5f1abed2e6d9821fbf108f2dee43d830a1f4029164ec367070f4336c9b22

SHA512
e9df99bd1da784924fa2909eea78556348ef68f702acfd95217bf1176b18386c49700068bf9621fac709d6701cb3dc66ea02eeee2bb2bfe639f5bb05418756d8

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
94KB

MD5
2d3e3f4598b0d5fbd8d4852bd857d91d

SHA1
4efe5d78c99843b5f79951e622d0583d4ed5743f

SHA256
e5909b2a8be42c85b8c08d14f50b738c4ee035b994cbf981edd496ef42005dd3

SHA512
ad5f35e2420869d73668505e8ed3c3c5df9738b3891430a62eaeedeb919e3de6f99486c8cb18aac403dcf31b6062f3638d71c93e5ccb030edb6ed78905f8e708

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
94KB

MD5
91f6705a9e19a27e5cc08b55c02c2b49

SHA1
8ab6a671dfa73d62da752e0606834d2a5afa3426

SHA256
b254964c0360a904ab733b5b25e674a5cd470d80dba60b311f6f58d3e279578d

SHA512
5288d742c02400a1e2bcfc257ba95a498605f12bef48298de36dfb9185a528dd92f5ed160d7c28a1e28b528df18e96cdfbf6d7650f73b120af74eb5a7479c29a

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
94KB

MD5
be22f5881eef52ddec383d377f12b51b

SHA1
17787f721123f1af2757d579dd6d4edee48c6bea

SHA256
140cb766c1068ee500545a3a409110a5c8d3ebc9e85a3dd837129683cdf3ae5c

SHA512
a5ddc48d5afc2435b33b9340539e4e626e15aaa9aced35ac3a819eeb5cfff0a8b5e66484c6c8e38541d75d0649797d5a1a8ba3d464a692e887d2213774330f71

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
94KB

MD5
63bcec3d35bb480abe9925f2878cfea0

SHA1
1b8a864549dbdd2e56339fc39e56f88f2f2b9bf9

SHA256
fe3a91d92ccac77dbd025a4845078e91032a7c9d29cd5b7eb89081f3e79aaf88

SHA512
0bf480f472a3347757a83b2f369f4524154705eb65079fa64da549ee0b26ae1fb9f0bedce2b86e24177425969fbdc228ddc04f37e6c41b922851c66d4f3cd99f

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
94KB

MD5
a5dd01d5c46c2fe7fecfcc9f6357adce

SHA1
6260ca4703cfe4707209e15b87de5da0bee9c7fa

SHA256
10ab12b4ae7a14b046f221a139d2a5af567ac2e4d9c0ae1d6dab489f09ae3514

SHA512
fac682370e0ecd82e82b5b22148010ba62cc72e3f7fa5e9d8677a033cd10cba2366415a9f3c5b730b17c3c23dba78e2f4fe69b3a21387ad39132033e24eb83fa

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
94KB

MD5
3ff5eeda2d4890b4fe7eff38d2d6f52f

SHA1
e19ff2f745470d3f5f30af0979decea5c16d6f47

SHA256
f0921b16d59e5f8ce3e910a5aeba659c556f5d1b1f807d6db3fc51b3526fd80a

SHA512
7ddb665e0cbbf29e2e8edde8a8d70ae511ec60bc938cc712d14cf6dc3ce104c2b0ab066da63f61e3b6e86c755b2ff4951d742bcc3b97f45a93a2ab00af02cd02

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
94KB

MD5
2688cd221cb68772b6a5991a3c0e20ef

SHA1
b732abfb7208def27738d1d5f29025cfaf8a4eb4

SHA256
5722af4d92682eab743f7c29bebdc42b92da7fd6af796c03aa2155487dcb8836

SHA512
69a6e3d851a438440d813b8ad664d5298df1d4137a5550804c7e9f2f40c1bb2cbaa97470a00e44f4b5f4f15cf51df683522eb92ca2b1b1b46aed842654e67814

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
94KB

MD5
8041a12816885e34b9c43accb4db60c6

SHA1
d2788693999da33d1f05d4e440af695a2786bc3c

SHA256
095e81721c30a639135bf4969c4249543e240053c05f3e83be98baa7a7ea6315

SHA512
2bc54e3052c3ea2e2de43ffbe1d6ff5b0b1c09ad21651afe68fe43909e62f4e678c6d483518779f7dfd7ce258a30df3b57e91dc3ec7a25798863591277dc9037

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
94KB

MD5
f3e612dcfb34f8f01898f1b8c37764f6

SHA1
0b0dbb79b00d8e7440a90cad4be15ed577341f6f

SHA256
068d24cc6f61b542998bbd2ea8031972e9df12f778be1158ffd1d64a9887086a

SHA512
158dda8faa48fe98d6882ba4f30fe7924f98d40f0c3b559cda06e4ece69c1fb7ecc04ab7978e6893c38870b3d71ad0adc1eb0b5bfb7c2ac2e761096ab9478a83

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
94KB

MD5
74d4ed1f13535150f209c0d2fcb488b6

SHA1
6f0fd216170619eb41447479dacf3fc99fa2bbcf

SHA256
3c0c74c33bd36a9d9b86664d4269cd4708a062ebc66aa30a8f549112dbb3f345

SHA512
f8af0e43e586a865d12f9462e81d29925a9d581d286cb8c2207ffdea8404f67c56f0940b8fad2a19e8fc60a7b5b0c71a01352bd8ab3c8543a4cb7b63a503a6e7

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
94KB

MD5
a9699848490c295f63dac4a09087a081

SHA1
36f198bde845325d938fce6157c91494f18783fa

SHA256
b762db8a82dda3a2677aa9d28fbf44c4c391036e08a0826fa7c4808d0e9d0204

SHA512
bd891c1b3916445d2897a684df84d1965e228af87f1d2cc3926bca5988b8ae064ba3881cf8b114665fc8565804d60565356484e9edc1acb9e2b2c013d979f92b

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
94KB

MD5
8e4f1ce3c5a3dc59da92df00ee391fbf

SHA1
e812d96aab73dc2aa6750b66a7b24764d5ca2207

SHA256
66856ab1882f27fda5864c9dbaaa1b9366ef8072f67299ff7ed049eaeb73d5d1

SHA512
328981c1d68056ff926caf1943341bb66a3cbc61c6f73e03ce6875a69b814ff59abbebdd423c0a677ca85ee766087cf450d3daa7846e4626e6065bbb6d007964

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
94KB

MD5
473465fddb54707e37a25eb535b4d8af

SHA1
5169ce8a24541641438c9600e303a732bb32e630

SHA256
a2a8d2214428a94181b1ea5e63b64ddbe7467a253932998eb149444ceabe1a2f

SHA512
075eb30c0ebb34eb12326aa1351abd51295bd47e849336f464fa786488bcc8b946619e54ab6ff9b97a4cabd7dc1eaf2eea53c91344092cc0603a5cc921aa758a

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
94KB

MD5
072ef302a0c2928e61cd5f5266035f7a

SHA1
bb2297108bb10413f115d548ef46e5df7f55ea83

SHA256
9593f32f8ade59fef4b07d6fb343a5b4969ee45d8b59f6a0dc2ba93c06fab306

SHA512
3273ccb5678cc842900835565e3a3c12d13b4643c676a0840705c18023305d82b178400b745dd918f9368766be7999eb8c772ef975bc867dc0775bd87a49864e

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
94KB

MD5
e9c8759b921e388a8e4fe0c902ed1b16

SHA1
11bbb3f99960fa5d34d7244a44a4bf984bc7181f

SHA256
5b8cc40d379b84cd6ae48aadbcbc8858e45af8be84f31f266d6c03e83b598749

SHA512
a8f926cf3be67681006a475a775564a1287e42858050b87e4541bfcbc4c3358368e014803da7a782456537a161c8825bf4d50edd5b7729918c6e005343ee7b80

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
94KB

MD5
c57cba77cd218fb025e72c171eb05316

SHA1
d72a3a31ac3a110f62502fe18247b8228611e17b

SHA256
7003a83be6eafcd61d5ec66f65e494c4d4314df2b2ae789abb1f27e251d19fd9

SHA512
c8ea0e5a4a2a449e930ed5309344d634cd09789405eeab9f599dee6d143962771ca0c7355338c476c332628040da6e465ffba136c0f05c5cccf14eb0da5503c3

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
94KB

MD5
64083f39ca1cc4e7317287c15010799c

SHA1
cd566c4f49c9a91214f50c8515a72eeb9b808bb9

SHA256
9a7635fb1f91851b8fbb0ef3d7b160a3ecc809db1104935658018bc7107abac1

SHA512
d74495fe919c79a503301cbd7fdda258068a1cddaa480a7e80ed10e863cd5000202199a989a99c5e74334f733ad75f187e2a68f3750279b952ea6eff89c1fd53

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
94KB

MD5
870ba51990cd9521062bdf5bd5137312

SHA1
bab9c84743a132905cff8c9c3cf0f534c8465d87

SHA256
25467e13ba68d652500ab10ce3aa930190f585611182719949260779e9bc4e34

SHA512
1dfc8dd63b9453884142fc91d3bb69ec0f29294ff6fdce16d16aea4345ce42b9158117dccfcc36cf1370146830622ed8696694521431030b96bab74d49616246

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
94KB

MD5
4bc358cbef235bf605fc1cda216bc03c

SHA1
eec32499c997210bef78e789feccd40bc547de0f

SHA256
03e04188e349ad2ccda69fd38263cacd6bff3443441d582a23bf1a87fc7144b1

SHA512
4bdb53674ae46343bbe6dd412304600e15337b4321283b1ccd727034bbe53f440ffec6337070e18f8b795d2c2268396661612fd5c8beeedfca6b1b8f99a8d566

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
94KB

MD5
a27d75a0103f05019911b6175ee95a41

SHA1
7699a9ca47bdbfe68c9246eb4809c837a4cdb170

SHA256
d4b345d2f5739678eabb0d022e719d39a3b5f8e32abff8defb3cd46f06a50679

SHA512
bf34def8ae9ad4883de636e7a0face55244ed466c85714f0bc88b40cd34349ce5e66e8eade5e5fc5099f7ea7cec58d732bb62b3321f7bcdedad204796299b0c1

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
94KB

MD5
52067ecc64b26efdf644e3a1c27657ce

SHA1
0a083ef2389e164c166ac7d21c2769cf16eaf111

SHA256
a0bc3a0b10cf1de960e603424c5ec92de0c38bd258ac9b30f515827c434fae5e

SHA512
4855188ff5fe75eab880738488d641aafe82ff87f26ca35de4677a41bb9628b3adda21346854acc730944a9c0e7a61cab47314df24bfe942a2e05b40c0df34b9

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
94KB

MD5
c804a68cff7a34297a3bdbb0bd75f87d

SHA1
15c1eb1e7c6a7b7c4535c83cbd965cf480c62556

SHA256
99ce8fa52b978695648201c28825fe7feb33220d33fe6c7ad9d556ec91b184c7

SHA512
4cbadae0121a96a3b0faa996b8499ddad01b3ecdb30473b6f9f611d7cb86bb95b113f98621bf7d68fefea36610057b0ecb8b4e081d98b91843fc24c2cb6e6f3e

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
94KB

MD5
5dab87374e9aadff499eab0a4b5339da

SHA1
91a9e25e6a32d004dd8b64f240e204d86a9ea16b

SHA256
300a2a5dcbd76237945123a8131a091d15eb1f3a1b17f29fbab5d0166fa11272

SHA512
15dcdde2384050f89968d7d55afa692c4610c666564b7bc89e5dde6574e9b023062594ffcd1f5bd96a01e21dff1051ad903fdfbddf156ec235e92c6d91b73a0a

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
94KB

MD5
a344154ed9af4bf1e52f1bd7a1261b7c

SHA1
e1ecec61161c2dda2647296267ca587f896e7085

SHA256
33b75ea0854c70027520e5ea30344203169724ca9f9ac58b8c24cf85b83ba507

SHA512
254e2e00644aa977a44c5661bc80d6bb2aeddfa89cc57595c50bc9b762a1f042911e9314088e6d6dd4a20fca5f357fcc9d59834d4e5997d1f2b83d8f2c808d2c

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
94KB

MD5
c9c2a2f35690c6e5a9cb97448f37cd12

SHA1
52f6d3ca54ada2530f57f4c851bb6182551d6bb0

SHA256
9c5652b513257970e54c95f7974ae872ed4ac77906357d6b57189f7704d65a9e

SHA512
7e7d57161518d2da606e83c860f15b25b7f958e19725ec8548e6e6eed3da0dfb06cee4ce3dbbfd0341dbd418d6ec21b7cbd4cef780a5c3117e889fd278d70832

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
94KB

MD5
df6670cd516c5e674fa112d091dc5ac6

SHA1
a28acb374bbc0e2084339b5cb1ef4bf4a503c72f

SHA256
a047dd7a3b14abbb04cc3a21780fe6645b385e772eb3db923cc487da46831498

SHA512
4a2d73e639a438fcca9973ecd45d4787f003699469aac3ab126af1f6c9f0bf6f5ceffd4a9485aa1263bcbcd9bc5a11eb10473211f71feca698f2758579af0b98

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
94KB

MD5
1809183b412df09b7396fb73597bea81

SHA1
96ccf4aab60957fdea7a3f317f0adf660727f468

SHA256
66b46955eae85ef4c3b1ecb6a7969b8b64dfcfe1b85376f4e995af6c78c9316e

SHA512
f7dd82b2e9dbe5b2da03bca280eb6aec3e6e76af3af55e3e7fcff44110f1b4426af61646e94ac97bb6c2f0e5b849c2860a9bce790a0b2761d921a12f925d6465

Download Submit
memory/384-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/384-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/384-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/388-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/908-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/908-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1008-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1008-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1372-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1372-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1420-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1420-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-463-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3312-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3512-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3564-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-456-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4456-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4524-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4524-462-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-435-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download