berbew | 9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Size

92KB
MD5

e2e65bba3aa62f6bd744ab517f7a8531
SHA1

4ab475c4c9f88fbff7e9da6069e74b002e052626
SHA256

9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694
SHA512

44567784a93b0295a4cb1a31a80c48c7419f5b82b1380359906fe494c6f4cc04cce01ad3ac65b91d4c40f549b12ac5e1a432dc611049a8f6133469e1dead3855
SSDEEP

1536:wrKnI+fAg/clCVKFVjVVzmsA0j2NHEAOASnKQrUoR24HsUs:wrKroVlCWnqpaAB6THsR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jgljfmkd.exeKnkkngol.exeLooahi32.exeGbolce32.exeHghhngjb.exeIjhmnf32.exeHahoodqi.exeIdnako32.exeJbmdig32.exeMapjjdjb.exeDfjcncak.exeDflpdb32.exeGifhkpgk.exeJbhkngcd.exeKakdpb32.exeDpedmhfi.exeGgcnbh32.exeHpnpam32.exeJadnoc32.exeLlnhgn32.exeLheilofe.exeEhgoaiml.exeIkcpmieg.exeJchhhjjg.exeHpbilmop.exeKebgea32.exeKleeqp32.exeMcafbm32.exe9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exeElpnmhgh.exeFehodaqd.exeGdbeqmag.exeHeoadcmh.exeIogbllfc.exeEpinhg32.exeFimedaoe.exeEmdgjpkd.exeFabppo32.exeEnjand32.exeKbmahjbk.exeLdljqpli.exeIqnlpq32.exeKpcngnob.exeJkeialfp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knkkngol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbolce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghhngjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahoodqi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idnako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idnako32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfjcncak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dflpdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifhkpgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhkngcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpnpam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jadnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnhgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lheilofe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgoaiml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikcpmieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jchhhjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbilmop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgljfmkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcafbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elpnmhgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehodaqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdbeqmag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heoadcmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahoodqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iogbllfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhkngcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epinhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fimedaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fabppo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimedaoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbilmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heoadcmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdgjpkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmahjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kleeqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lheilofe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldljqpli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqnlpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikcpmieg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmdig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcafbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcngnob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkeialfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldljqpli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehodaqd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

Processes:

Dmaoem32.exeDfjcncak.exeDflpdb32.exeDpedmhfi.exeEnjand32.exeEpinhg32.exeElpnmhgh.exeEhgoaiml.exeEmdgjpkd.exeFabppo32.exeFimedaoe.exeFfaeneno.exeFehodaqd.exeGifhkpgk.exeGbolce32.exeGdbeqmag.exeGgcnbh32.exeGdgoll32.exeHpnpam32.exeHghhngjb.exeHemeod32.exeHpbilmop.exeHeoadcmh.exeHlijan32.exeHahoodqi.exeIkcpmieg.exeIjhmnf32.exeIdnako32.exeIogbllfc.exeJbhkngcd.exeJchhhjjg.exeJbmdig32.exeJkeialfp.exeJgljfmkd.exeJadnoc32.exeKebgea32.exeKnkkngol.exeKakdpb32.exeKbmahjbk.exeKleeqp32.exeKpcngnob.exeLlnhgn32.exeLheilofe.exeLooahi32.exeLdljqpli.exeMapjjdjb.exeMcafbm32.exeMpegka32.exeMllhpb32.exe

pid	process
2644	Dmaoem32.exe
3020	Dfjcncak.exe
2288	Dflpdb32.exe
2920	Dpedmhfi.exe
2676	Enjand32.exe
1664	Epinhg32.exe
2724	Elpnmhgh.exe
2220	Ehgoaiml.exe
2588	Emdgjpkd.exe
2092	Fabppo32.exe
1984	Fimedaoe.exe
1656	Ffaeneno.exe
1708	Fehodaqd.exe
2248	Gifhkpgk.exe
2516	Gbolce32.exe
1956	Gdbeqmag.exe
1732	Ggcnbh32.exe
2224	Gdgoll32.exe
1804	Hpnpam32.exe
856	Hghhngjb.exe
2468	Hemeod32.exe
2628	Hpbilmop.exe
1204	Heoadcmh.exe
1792	Hlijan32.exe
2592	Hahoodqi.exe
1592	Ikcpmieg.exe
3016	Ijhmnf32.exe
2540	Idnako32.exe
2808	Iogbllfc.exe
2860	Jbhkngcd.exe
2712	Jchhhjjg.exe
2744	Jbmdig32.exe
2116	Jkeialfp.exe
1632	Jgljfmkd.exe
1980	Jadnoc32.exe
1560	Kebgea32.exe
3008	Knkkngol.exe
2252	Kakdpb32.exe
1376	Kbmahjbk.exe
2416	Kleeqp32.exe
2320	Kpcngnob.exe
2156	Llnhgn32.exe
2228	Lheilofe.exe
1816	Looahi32.exe
2036	Ldljqpli.exe
2104	Mapjjdjb.exe
2640	Mcafbm32.exe
2560	Mpegka32.exe
2612	Mllhpb32.exe

Loads dropped DLL 64 IoCs

Processes:

9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exeDmaoem32.exeDfjcncak.exeDflpdb32.exeDpedmhfi.exeEnjand32.exeEpinhg32.exeElpnmhgh.exeEhgoaiml.exeEmdgjpkd.exeFabppo32.exeFimedaoe.exeFfaeneno.exeFehodaqd.exeGifhkpgk.exeGbolce32.exeGdbeqmag.exeGgcnbh32.exeGdgoll32.exeHpnpam32.exeHghhngjb.exeHemeod32.exeHpbilmop.exeHeoadcmh.exeHlijan32.exeIqnlpq32.exeIkcpmieg.exeIjhmnf32.exeIdnako32.exeIogbllfc.exeJbhkngcd.exeJchhhjjg.exe

pid	process
2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
2644	Dmaoem32.exe
2644	Dmaoem32.exe
3020	Dfjcncak.exe
3020	Dfjcncak.exe
2288	Dflpdb32.exe
2288	Dflpdb32.exe
2920	Dpedmhfi.exe
2920	Dpedmhfi.exe
2676	Enjand32.exe
2676	Enjand32.exe
1664	Epinhg32.exe
1664	Epinhg32.exe
2724	Elpnmhgh.exe
2724	Elpnmhgh.exe
2220	Ehgoaiml.exe
2220	Ehgoaiml.exe
2588	Emdgjpkd.exe
2588	Emdgjpkd.exe
2092	Fabppo32.exe
2092	Fabppo32.exe
1984	Fimedaoe.exe
1984	Fimedaoe.exe
1656	Ffaeneno.exe
1656	Ffaeneno.exe
1708	Fehodaqd.exe
1708	Fehodaqd.exe
2248	Gifhkpgk.exe
2248	Gifhkpgk.exe
2516	Gbolce32.exe
2516	Gbolce32.exe
1956	Gdbeqmag.exe
1956	Gdbeqmag.exe
1732	Ggcnbh32.exe
1732	Ggcnbh32.exe
2224	Gdgoll32.exe
2224	Gdgoll32.exe
1804	Hpnpam32.exe
1804	Hpnpam32.exe
856	Hghhngjb.exe
856	Hghhngjb.exe
2468	Hemeod32.exe
2468	Hemeod32.exe
2628	Hpbilmop.exe
2628	Hpbilmop.exe
1204	Heoadcmh.exe
1204	Heoadcmh.exe
1792	Hlijan32.exe
1792	Hlijan32.exe
1620	Iqnlpq32.exe
1620	Iqnlpq32.exe
1592	Ikcpmieg.exe
1592	Ikcpmieg.exe
3016	Ijhmnf32.exe
3016	Ijhmnf32.exe
2540	Idnako32.exe
2540	Idnako32.exe
2808	Iogbllfc.exe
2808	Iogbllfc.exe
2860	Jbhkngcd.exe
2860	Jbhkngcd.exe
2712	Jchhhjjg.exe
2712	Jchhhjjg.exe

Drops file in System32 directory 64 IoCs

Processes:

Iogbllfc.exe9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exeElpnmhgh.exeFimedaoe.exeGdbeqmag.exeJchhhjjg.exeJbmdig32.exeJadnoc32.exeKleeqp32.exeDflpdb32.exeEhgoaiml.exeEmdgjpkd.exeHemeod32.exeJbhkngcd.exeKakdpb32.exeMapjjdjb.exeGifhkpgk.exeHeoadcmh.exeLlnhgn32.exeDmaoem32.exeGdgoll32.exeIkcpmieg.exeFehodaqd.exeGbolce32.exeLooahi32.exeKpcngnob.exeLdljqpli.exeHghhngjb.exeIdnako32.exeLheilofe.exeDpedmhfi.exeFabppo32.exeIjhmnf32.exeDfjcncak.exeGgcnbh32.exeKnkkngol.exeEnjand32.exeEpinhg32.exeJkeialfp.exeIqnlpq32.exeJgljfmkd.exeKbmahjbk.exeMpegka32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Obpkabjb.dll	Iogbllfc.exe
File created	C:\Windows\SysWOW64\Lnoncmof.dll	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
File created	C:\Windows\SysWOW64\Ehgoaiml.exe	Elpnmhgh.exe
File created	C:\Windows\SysWOW64\Cpfcphnf.dll	Fimedaoe.exe
File opened for modification	C:\Windows\SysWOW64\Ggcnbh32.exe	Gdbeqmag.exe
File created	C:\Windows\SysWOW64\Jbmdig32.exe	Jchhhjjg.exe
File created	C:\Windows\SysWOW64\Jkeialfp.exe	Jbmdig32.exe
File created	C:\Windows\SysWOW64\Jioldg32.dll	Jadnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Kpcngnob.exe	Kleeqp32.exe
File created	C:\Windows\SysWOW64\Dpedmhfi.exe	Dflpdb32.exe
File opened for modification	C:\Windows\SysWOW64\Emdgjpkd.exe	Ehgoaiml.exe
File opened for modification	C:\Windows\SysWOW64\Fabppo32.exe	Emdgjpkd.exe
File created	C:\Windows\SysWOW64\Epblob32.dll	Hemeod32.exe
File created	C:\Windows\SysWOW64\Jchhhjjg.exe	Jbhkngcd.exe
File opened for modification	C:\Windows\SysWOW64\Kbmahjbk.exe	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Mcafbm32.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Kqfgpkij.dll	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Hlgpmnkj.dll	Gifhkpgk.exe
File opened for modification	C:\Windows\SysWOW64\Hpbilmop.exe	Hemeod32.exe
File opened for modification	C:\Windows\SysWOW64\Hlijan32.exe	Heoadcmh.exe
File opened for modification	C:\Windows\SysWOW64\Jbhkngcd.exe	Iogbllfc.exe
File created	C:\Windows\SysWOW64\Cbbfhncl.dll	Llnhgn32.exe
File created	C:\Windows\SysWOW64\Dfjcncak.exe	Dmaoem32.exe
File created	C:\Windows\SysWOW64\Alnndlmh.dll	Gdgoll32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhmnf32.exe	Ikcpmieg.exe
File opened for modification	C:\Windows\SysWOW64\Jchhhjjg.exe	Jbhkngcd.exe
File opened for modification	C:\Windows\SysWOW64\Mcafbm32.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Gifhkpgk.exe	Fehodaqd.exe
File created	C:\Windows\SysWOW64\Iiogbn32.dll	Fehodaqd.exe
File created	C:\Windows\SysWOW64\Gdbeqmag.exe	Gbolce32.exe
File opened for modification	C:\Windows\SysWOW64\Ldljqpli.exe	Looahi32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmdig32.exe	Jchhhjjg.exe
File created	C:\Windows\SysWOW64\Llnhgn32.exe	Kpcngnob.exe
File created	C:\Windows\SysWOW64\Hfcncl32.dll	Ldljqpli.exe
File created	C:\Windows\SysWOW64\Fabppo32.exe	Emdgjpkd.exe
File opened for modification	C:\Windows\SysWOW64\Hemeod32.exe	Hghhngjb.exe
File created	C:\Windows\SysWOW64\Ilicbg32.dll	Heoadcmh.exe
File created	C:\Windows\SysWOW64\Iogbllfc.exe	Idnako32.exe
File created	C:\Windows\SysWOW64\Looahi32.exe	Lheilofe.exe
File created	C:\Windows\SysWOW64\Lelnjj32.dll	Dpedmhfi.exe
File opened for modification	C:\Windows\SysWOW64\Fimedaoe.exe	Fabppo32.exe
File created	C:\Windows\SysWOW64\Ijhmnf32.exe	Ikcpmieg.exe
File created	C:\Windows\SysWOW64\Jbhkngcd.exe	Iogbllfc.exe
File created	C:\Windows\SysWOW64\Idnako32.exe	Ijhmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Lheilofe.exe	Llnhgn32.exe
File created	C:\Windows\SysWOW64\Mhaiefep.dll	Lheilofe.exe
File opened for modification	C:\Windows\SysWOW64\Dflpdb32.exe	Dfjcncak.exe
File created	C:\Windows\SysWOW64\Fimedaoe.exe	Fabppo32.exe
File opened for modification	C:\Windows\SysWOW64\Ffaeneno.exe	Fimedaoe.exe
File created	C:\Windows\SysWOW64\Gdgoll32.exe	Ggcnbh32.exe
File created	C:\Windows\SysWOW64\Kakdpb32.exe	Knkkngol.exe
File created	C:\Windows\SysWOW64\Bhgjifff.dll	Jchhhjjg.exe
File created	C:\Windows\SysWOW64\Aceapdem.dll	Kleeqp32.exe
File created	C:\Windows\SysWOW64\Ldljqpli.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Dmaoem32.exe	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
File created	C:\Windows\SysWOW64\Enjqaegh.dll	Enjand32.exe
File created	C:\Windows\SysWOW64\Nokabf32.dll	Elpnmhgh.exe
File created	C:\Windows\SysWOW64\Ipfkdi32.dll	Idnako32.exe
File created	C:\Windows\SysWOW64\Mcdqeq32.dll	Epinhg32.exe
File created	C:\Windows\SysWOW64\Eamqahed.dll	Jkeialfp.exe
File created	C:\Windows\SysWOW64\Ikcpmieg.exe	Iqnlpq32.exe
File created	C:\Windows\SysWOW64\Pcdggbbn.dll	Jgljfmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kleeqp32.exe	Kbmahjbk.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mpegka32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2608 2612 WerFault.exe Mllhpb32.exe

pid	pid_target	process	target process
2608	2612	WerFault.exe	Mllhpb32.exe

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Fimedaoe.exeIqnlpq32.exeDfjcncak.exeJchhhjjg.exeKnkkngol.exeMllhpb32.exeGdbeqmag.exeEnjand32.exeEpinhg32.exeEmdgjpkd.exeFehodaqd.exeHpnpam32.exeLdljqpli.exeDmaoem32.exeElpnmhgh.exeGifhkpgk.exeHeoadcmh.exeIdnako32.exeLheilofe.exeMapjjdjb.exeMpegka32.exeDflpdb32.exeFabppo32.exeGgcnbh32.exeHghhngjb.exeHpbilmop.exeIjhmnf32.exeJbmdig32.exeJgljfmkd.exeDpedmhfi.exeHahoodqi.exeIkcpmieg.exeIogbllfc.exeJadnoc32.exeKakdpb32.exeKpcngnob.exeMcafbm32.exeGbolce32.exeHemeod32.exeHlijan32.exeKebgea32.exeKbmahjbk.exeLlnhgn32.exeLooahi32.exeFfaeneno.exeEhgoaiml.exeGdgoll32.exeJbhkngcd.exeJkeialfp.exeKleeqp32.exe9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimedaoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqnlpq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfjcncak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jchhhjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knkkngol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdbeqmag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjand32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epinhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdgjpkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fehodaqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpnpam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldljqpli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmaoem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elpnmhgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifhkpgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heoadcmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idnako32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lheilofe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjjdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpegka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dflpdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fabppo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggcnbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghhngjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpbilmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijhmnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbmdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgljfmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpedmhfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahoodqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikcpmieg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogbllfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadnoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcngnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcafbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbolce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemeod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlijan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmahjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnhgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Looahi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffaeneno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehgoaiml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgoll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhkngcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkeialfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kleeqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe

Modifies registry class 64 IoCs

Processes:

Hahoodqi.exeLlnhgn32.exe9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exeFehodaqd.exeHpbilmop.exeDflpdb32.exeFimedaoe.exeIkcpmieg.exeJchhhjjg.exeKebgea32.exeLooahi32.exeLdljqpli.exeFfaeneno.exeGdbeqmag.exeHeoadcmh.exeGdgoll32.exeIjhmnf32.exeMapjjdjb.exeHghhngjb.exeJadnoc32.exeJkeialfp.exeLheilofe.exeIdnako32.exeKpcngnob.exeGifhkpgk.exeEmdgjpkd.exeKnkkngol.exeKakdpb32.exeMpegka32.exeDfjcncak.exeDpedmhfi.exeHemeod32.exeJbhkngcd.exeDmaoem32.exeIqnlpq32.exeGgcnbh32.exeEhgoaiml.exeGbolce32.exeJgljfmkd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hahoodqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llnhgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fehodaqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbilmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpaaa32.dll"	Dflpdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fimedaoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikcpmieg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jchhhjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll"	Kebgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepipcbp.dll"	Looahi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldljqpli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffaeneno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilicbg32.dll"	Heoadcmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdgoll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgmap32.dll"	Hghhngjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jioldg32.dll"	Jadnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkeialfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lheilofe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdgoll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfkdi32.dll"	Idnako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgjifff.dll"	Jchhhjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeocnah.dll"	Kpcngnob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpcngnob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fehodaqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgaahp32.dll"	Gdbeqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbbfhncl.dll"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klliop32.dll"	Emdgjpkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfcphnf.dll"	Fimedaoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikcpmieg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkeialfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knkkngol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoncmof.dll"	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfjcncak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll"	Hemeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjgqec.dll"	Jbhkngcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jadnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmaoem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfjcncak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelnjj32.dll"	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jchhhjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jadnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmaoem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffpjfep.dll"	Iqnlpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idnako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggcnbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hghhngjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcncl32.dll"	Ldljqpli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldljqpli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgpkij.dll"	Mapjjdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehgoaiml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbolce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgljfmkd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2304 wrote to memory of 2644	2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe	Dmaoem32.exe
PID 2304 wrote to memory of 2644	2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe	Dmaoem32.exe
PID 2304 wrote to memory of 2644	2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe	Dmaoem32.exe
PID 2304 wrote to memory of 2644	2304	9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe	Dmaoem32.exe
PID 2644 wrote to memory of 3020	2644	Dmaoem32.exe	Dfjcncak.exe
PID 2644 wrote to memory of 3020	2644	Dmaoem32.exe	Dfjcncak.exe
PID 2644 wrote to memory of 3020	2644	Dmaoem32.exe	Dfjcncak.exe
PID 2644 wrote to memory of 3020	2644	Dmaoem32.exe	Dfjcncak.exe
PID 3020 wrote to memory of 2288	3020	Dfjcncak.exe	Dflpdb32.exe
PID 3020 wrote to memory of 2288	3020	Dfjcncak.exe	Dflpdb32.exe
PID 3020 wrote to memory of 2288	3020	Dfjcncak.exe	Dflpdb32.exe
PID 3020 wrote to memory of 2288	3020	Dfjcncak.exe	Dflpdb32.exe
PID 2288 wrote to memory of 2920	2288	Dflpdb32.exe	Dpedmhfi.exe
PID 2288 wrote to memory of 2920	2288	Dflpdb32.exe	Dpedmhfi.exe
PID 2288 wrote to memory of 2920	2288	Dflpdb32.exe	Dpedmhfi.exe
PID 2288 wrote to memory of 2920	2288	Dflpdb32.exe	Dpedmhfi.exe
PID 2920 wrote to memory of 2676	2920	Dpedmhfi.exe	Enjand32.exe
PID 2920 wrote to memory of 2676	2920	Dpedmhfi.exe	Enjand32.exe
PID 2920 wrote to memory of 2676	2920	Dpedmhfi.exe	Enjand32.exe
PID 2920 wrote to memory of 2676	2920	Dpedmhfi.exe	Enjand32.exe
PID 2676 wrote to memory of 1664	2676	Enjand32.exe	Epinhg32.exe
PID 2676 wrote to memory of 1664	2676	Enjand32.exe	Epinhg32.exe
PID 2676 wrote to memory of 1664	2676	Enjand32.exe	Epinhg32.exe
PID 2676 wrote to memory of 1664	2676	Enjand32.exe	Epinhg32.exe
PID 1664 wrote to memory of 2724	1664	Epinhg32.exe	Elpnmhgh.exe
PID 1664 wrote to memory of 2724	1664	Epinhg32.exe	Elpnmhgh.exe
PID 1664 wrote to memory of 2724	1664	Epinhg32.exe	Elpnmhgh.exe
PID 1664 wrote to memory of 2724	1664	Epinhg32.exe	Elpnmhgh.exe
PID 2724 wrote to memory of 2220	2724	Elpnmhgh.exe	Ehgoaiml.exe
PID 2724 wrote to memory of 2220	2724	Elpnmhgh.exe	Ehgoaiml.exe
PID 2724 wrote to memory of 2220	2724	Elpnmhgh.exe	Ehgoaiml.exe
PID 2724 wrote to memory of 2220	2724	Elpnmhgh.exe	Ehgoaiml.exe
PID 2220 wrote to memory of 2588	2220	Ehgoaiml.exe	Emdgjpkd.exe
PID 2220 wrote to memory of 2588	2220	Ehgoaiml.exe	Emdgjpkd.exe
PID 2220 wrote to memory of 2588	2220	Ehgoaiml.exe	Emdgjpkd.exe
PID 2220 wrote to memory of 2588	2220	Ehgoaiml.exe	Emdgjpkd.exe
PID 2588 wrote to memory of 2092	2588	Emdgjpkd.exe	Fabppo32.exe
PID 2588 wrote to memory of 2092	2588	Emdgjpkd.exe	Fabppo32.exe
PID 2588 wrote to memory of 2092	2588	Emdgjpkd.exe	Fabppo32.exe
PID 2588 wrote to memory of 2092	2588	Emdgjpkd.exe	Fabppo32.exe
PID 2092 wrote to memory of 1984	2092	Fabppo32.exe	Fimedaoe.exe
PID 2092 wrote to memory of 1984	2092	Fabppo32.exe	Fimedaoe.exe
PID 2092 wrote to memory of 1984	2092	Fabppo32.exe	Fimedaoe.exe
PID 2092 wrote to memory of 1984	2092	Fabppo32.exe	Fimedaoe.exe
PID 1984 wrote to memory of 1656	1984	Fimedaoe.exe	Ffaeneno.exe
PID 1984 wrote to memory of 1656	1984	Fimedaoe.exe	Ffaeneno.exe
PID 1984 wrote to memory of 1656	1984	Fimedaoe.exe	Ffaeneno.exe
PID 1984 wrote to memory of 1656	1984	Fimedaoe.exe	Ffaeneno.exe
PID 1656 wrote to memory of 1708	1656	Ffaeneno.exe	Fehodaqd.exe
PID 1656 wrote to memory of 1708	1656	Ffaeneno.exe	Fehodaqd.exe
PID 1656 wrote to memory of 1708	1656	Ffaeneno.exe	Fehodaqd.exe
PID 1656 wrote to memory of 1708	1656	Ffaeneno.exe	Fehodaqd.exe
PID 1708 wrote to memory of 2248	1708	Fehodaqd.exe	Gifhkpgk.exe
PID 1708 wrote to memory of 2248	1708	Fehodaqd.exe	Gifhkpgk.exe
PID 1708 wrote to memory of 2248	1708	Fehodaqd.exe	Gifhkpgk.exe
PID 1708 wrote to memory of 2248	1708	Fehodaqd.exe	Gifhkpgk.exe
PID 2248 wrote to memory of 2516	2248	Gifhkpgk.exe	Gbolce32.exe
PID 2248 wrote to memory of 2516	2248	Gifhkpgk.exe	Gbolce32.exe
PID 2248 wrote to memory of 2516	2248	Gifhkpgk.exe	Gbolce32.exe
PID 2248 wrote to memory of 2516	2248	Gifhkpgk.exe	Gbolce32.exe
PID 2516 wrote to memory of 1956	2516	Gbolce32.exe	Gdbeqmag.exe
PID 2516 wrote to memory of 1956	2516	Gbolce32.exe	Gdbeqmag.exe
PID 2516 wrote to memory of 1956	2516	Gbolce32.exe	Gdbeqmag.exe
PID 2516 wrote to memory of 1956	2516	Gbolce32.exe	Gdbeqmag.exe

C:\Users\Admin\AppData\Local\Temp\9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe
"C:\Users\Admin\AppData\Local\Temp\9f67b8f5989747ab88b868dd2c199e91bd14335307bc9c3362164c864bf90694.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\Dmaoem32.exe
C:\Windows\system32\Dmaoem32.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\Dfjcncak.exe
C:\Windows\system32\Dfjcncak.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\Dflpdb32.exe
C:\Windows\system32\Dflpdb32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\Dpedmhfi.exe
C:\Windows\system32\Dpedmhfi.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Enjand32.exe
C:\Windows\system32\Enjand32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\Epinhg32.exe
C:\Windows\system32\Epinhg32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\Elpnmhgh.exe
C:\Windows\system32\Elpnmhgh.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\Ehgoaiml.exe
C:\Windows\system32\Ehgoaiml.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\Emdgjpkd.exe
C:\Windows\system32\Emdgjpkd.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\Fabppo32.exe
C:\Windows\system32\Fabppo32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\Fimedaoe.exe
C:\Windows\system32\Fimedaoe.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\Ffaeneno.exe
C:\Windows\system32\Ffaeneno.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\Fehodaqd.exe
C:\Windows\system32\Fehodaqd.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\Gifhkpgk.exe
C:\Windows\system32\Gifhkpgk.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\Gbolce32.exe
C:\Windows\system32\Gbolce32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\Gdbeqmag.exe
C:\Windows\system32\Gdbeqmag.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956

C:\Windows\SysWOW64\Ggcnbh32.exe
C:\Windows\system32\Ggcnbh32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1732

C:\Windows\SysWOW64\Gdgoll32.exe
C:\Windows\system32\Gdgoll32.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2224

C:\Windows\SysWOW64\Hpnpam32.exe
C:\Windows\system32\Hpnpam32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1804

C:\Windows\SysWOW64\Hghhngjb.exe
C:\Windows\system32\Hghhngjb.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:856

C:\Windows\SysWOW64\Hemeod32.exe
C:\Windows\system32\Hemeod32.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468

C:\Windows\SysWOW64\Hpbilmop.exe
C:\Windows\system32\Hpbilmop.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2628

C:\Windows\SysWOW64\Heoadcmh.exe
C:\Windows\system32\Heoadcmh.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Hlijan32.exe
C:\Windows\system32\Hlijan32.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792

C:\Windows\SysWOW64\Hahoodqi.exe
C:\Windows\system32\Hahoodqi.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592

C:\Windows\SysWOW64\Iqnlpq32.exe
C:\Windows\system32\Iqnlpq32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620

C:\Windows\SysWOW64\Ikcpmieg.exe
C:\Windows\system32\Ikcpmieg.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592

C:\Windows\SysWOW64\Ijhmnf32.exe
C:\Windows\system32\Ijhmnf32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016

C:\Windows\SysWOW64\Idnako32.exe
C:\Windows\system32\Idnako32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540

C:\Windows\SysWOW64\Iogbllfc.exe
C:\Windows\system32\Iogbllfc.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2808

C:\Windows\SysWOW64\Jbhkngcd.exe
C:\Windows\system32\Jbhkngcd.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860

C:\Windows\SysWOW64\Jchhhjjg.exe
C:\Windows\system32\Jchhhjjg.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712

C:\Windows\SysWOW64\Jbmdig32.exe
C:\Windows\system32\Jbmdig32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2744

C:\Windows\SysWOW64\Jkeialfp.exe
C:\Windows\system32\Jkeialfp.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116

C:\Windows\SysWOW64\Jgljfmkd.exe
C:\Windows\system32\Jgljfmkd.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\Jadnoc32.exe
C:\Windows\system32\Jadnoc32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980

C:\Windows\SysWOW64\Kebgea32.exe
C:\Windows\system32\Kebgea32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560

C:\Windows\SysWOW64\Knkkngol.exe
C:\Windows\system32\Knkkngol.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3008

C:\Windows\SysWOW64\Kakdpb32.exe
C:\Windows\system32\Kakdpb32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2252

C:\Windows\SysWOW64\Kbmahjbk.exe
C:\Windows\system32\Kbmahjbk.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1376

C:\Windows\SysWOW64\Kleeqp32.exe
C:\Windows\system32\Kleeqp32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2416

C:\Windows\SysWOW64\Kpcngnob.exe
C:\Windows\system32\Kpcngnob.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2320

C:\Windows\SysWOW64\Llnhgn32.exe
C:\Windows\system32\Llnhgn32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156

C:\Windows\SysWOW64\Lheilofe.exe
C:\Windows\system32\Lheilofe.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2228

C:\Windows\SysWOW64\Looahi32.exe
C:\Windows\system32\Looahi32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1816

C:\Windows\SysWOW64\Ldljqpli.exe
C:\Windows\system32\Ldljqpli.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036

C:\Windows\SysWOW64\Mapjjdjb.exe
C:\Windows\system32\Mapjjdjb.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104

C:\Windows\SysWOW64\Mcafbm32.exe
C:\Windows\system32\Mcafbm32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640

C:\Windows\SysWOW64\Mpegka32.exe
C:\Windows\system32\Mpegka32.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\Mllhpb32.exe
C:\Windows\system32\Mllhpb32.exe
51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 140
52⤵
- Program crash
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmaoem32.exe

Filesize
92KB

MD5
03f6b0d289fc5a983a9c361c2605c131

SHA1
3b7a8a16e915c56a45a4d1efe3c8a2e7d13f4164

SHA256
27979b428056456c4bee03e1cf70fd054e4d493195b61cd07c1540b9de35380c

SHA512
30119d6c0f5e412b00a1bb147c0a0c9c1408fa3d88896f54c786cdb859d0f6247030344aaf373d8f939ae336fc805db217f972a8e0d976dc8cbc840e951c7f73

Download Submit
C:\Windows\SysWOW64\Gdgoll32.exe

Filesize
92KB

MD5
ef61c775491386aa66db6d683e469f18

SHA1
00c5c11cee5ba92061d8941fdcf1475664ac278c

SHA256
ba11b97daa993d13f0537e533b1fabd8d41ea2b24e9271a516212a05f68917e2

SHA512
b1685701d3729f2dd3074250e5f93c5391484e49363fb56a7ee099f4b2e98b036aba230692a6409a01496270f0138449b42b9043021584fabec89682fc20452a

Download Submit
C:\Windows\SysWOW64\Ggcnbh32.exe

Filesize
92KB

MD5
226254e6b2834dbfd88c78635a65e612

SHA1
e87cbf7f6f6e45e831e62c9d3b13f643434f3856

SHA256
310b024fa68aa19ece8f741bbe1b6408eae6dba6ba2e379e1c90f217c67cda02

SHA512
3fadb1aea56a45823255604af162f5be7f8f7e84bc70d96f5c2ec4b96f04e36ebacc33842329b4071c1eddec9ad9e60c87a60d8deb0f4bd318011994da91e00c

Download Submit
C:\Windows\SysWOW64\Hahoodqi.exe

Filesize
92KB

MD5
6e3142edd92e6b34500f313718f0d6b0

SHA1
8d3eeee544ea59f07ccc4ee51d0dcc7cc8a340ce

SHA256
0d1ba82912aa0873bc1f2e42f179813b869b6a214bf9eddc24077330ed37d047

SHA512
a5a569843a1ed7456d0550aab456e0838115775656bcf9762c6dd0ee02439b28ef8f3f8a3c8b09ecab424dd6580253eec69b4188b3679d1a2f9b9df52e811b44

Download Submit
C:\Windows\SysWOW64\Hemeod32.exe

Filesize
92KB

MD5
cd96ed35308f3332e1c93d1df9cd13b1

SHA1
96b329fec7936539e9ec5a8c36cb2a0de6fd22b7

SHA256
3bba3bd5a12eff4ec3d6e01b2c3441077a063f9f3b5e4ae27ccc986941b49419

SHA512
efa83145cbb8da214b50136859405deae95e975b6ebbc8efff45ca31b8637ae1f1cce4066fce56215d47dbbffc48a34abf4350a996da0e9d300236821399e75c

Download Submit
C:\Windows\SysWOW64\Heoadcmh.exe

Filesize
92KB

MD5
955be4373a4b45f5299ddd0207dd7608

SHA1
3be31521b3e3e6a615f610b83b4115ed04227a50

SHA256
fe08bea4a6a7e265a9244d6f824b978b7e2553264e41ddbb34852491c5ce94a9

SHA512
1cdf140e111fd37b066a675de81a36573605e92d125eddfd1d6bf64b6a7bec7388fc9b954bde2f9e6006c1e027934fa0d76403a2ae1b87408fc26eb27e304a32

Download Submit
C:\Windows\SysWOW64\Hghhngjb.exe

Filesize
92KB

MD5
d7925dcd9a06cbc3e3572d6a8560aa7a

SHA1
8ee93802784144fb8123ecf66d5c58d37f7aac5c

SHA256
d928b6d997763f1a7c95fe696d2ff4128c78609ffa95891b1ddb0321fc26a8c7

SHA512
36eda23565d5a07331b091895bd04d75907656b3cf2ec0e846ae4a2e90c54e235acc1c5e80521f8a601d86c385b7dc8e260ad1cedaf25952f208dfca8ddc8116

Download Submit
C:\Windows\SysWOW64\Hlijan32.exe

Filesize
92KB

MD5
ccb2ca88ffab38f3d4de993f18afec45

SHA1
d4dd7705e0f3d20019691b39da85b7d1cd657313

SHA256
36bb8bd79455217d3639382a5914b114d8aa55b9b9799a2df3b1e6b35f6cc32b

SHA512
ad13554fbc672958f7a1bfee0c4f937594f1124e6184fc64ca97d041a8e9a817ff881affe21cdf69b34113f1926f0c06c225378ad8e7cc75b3c9c6f22fe56cf9

Download Submit
C:\Windows\SysWOW64\Hpbilmop.exe

Filesize
92KB

MD5
3848bdcc3facaed63416db1010820045

SHA1
4ed039f7b0148e4b1bd4c4ae01de3558636901c1

SHA256
af19e2d90b29ab336212405d51eb4d1ba9c089b96068b5541e0c9ea9da1b36a4

SHA512
d8cce26b36c96e868469adeed5d9b016760bc09540b51ae2bf9d24e08cf6c54751aa4c6d75df49eb0a0469559332916c291c40b346dffb325d2c4e625f3dac46

Download Submit
C:\Windows\SysWOW64\Hpnpam32.exe

Filesize
92KB

MD5
a871d5aa6e0480d4b531ebb722a325c1

SHA1
0531f547a3a4366ee845bf5507a4b2e6bc4854f5

SHA256
c486b836144d9992694460eb7dbe375e615cb2a89b2a6475f6750686e43464ca

SHA512
a2a1375b005261481a63ab3126cde68b7f4b4109b9170490aba4163d00f807938b47909c724509df04813fe632b1d36fa2449eabc78e53745733db6aed51c3d1

Download Submit
C:\Windows\SysWOW64\Idnako32.exe

Filesize
92KB

MD5
05ee0572f6e7298612c5eece714ba117

SHA1
de4b6a59869ff54bf85d343e4689377045c4569c

SHA256
e51f655574a63a6c2bf56ffeedce1028487e8bfb67d491def22081a96dc21ba6

SHA512
842a1d7e196f9302b49635f7d86205a62e2b428304cf873ae486de1a53cafe53f3ffa07a09560bee484b9eee385dd16ede477cbe9658bbc03fc13fea8566361a

Download Submit
C:\Windows\SysWOW64\Ijhmnf32.exe

Filesize
92KB

MD5
1693dff55a3bc60677b003a063c596b4

SHA1
507e270e96b06208c865d0bb72f995b7c5cbbc24

SHA256
0f1c3bd8a0bec73faa6dfa0d56ddb641b73b32cec79bb6987ebcc9a40f14ff80

SHA512
127b440441ab2955e399340fff203b7dd73e54c01f9e60b0f5e9d13b19f4d3015e9e00d020271ffed3a0c76deb8212b50028b4e942b1387b502045b2c83d9d0e

Download Submit
C:\Windows\SysWOW64\Ikcpmieg.exe

Filesize
92KB

MD5
85a2cb9a5edc72575fb1a53a8f9a0d04

SHA1
0e9fb730a60a0920fda3a16c89d1c41e38ec5f96

SHA256
96bcbdb7fd3677e5af95e129a00baf60b275212328f7de1abf8a8967210938f9

SHA512
da4630e125e866e6ff3a736cf23a9d0815d115806017fb58c7420faeb5c799a0975fa8fe41e392f1e28ef41d09e04aa5aa1c6128e756bb151def78db43f7e438

Download Submit
C:\Windows\SysWOW64\Iogbllfc.exe

Filesize
92KB

MD5
2b63555d0c4e3324f72126b6d5a7e067

SHA1
2cd1dbe83df170480b0c33065c4b7ba7f13f1d91

SHA256
15cf21b7afc3cea34b35f4df82541e7b40a49d68b6d100d8818fc62d761e7303

SHA512
3598d65449c99c42179c7bc48d1983098ba1cf01e26934ac864656ea183c78c5ed1f4171ffbf483fc0cc28e63fc69396982a5212d96486571288b289564c40f9

Download Submit
C:\Windows\SysWOW64\Jadnoc32.exe

Filesize
92KB

MD5
5d0bf87400769f85d87224457a176c02

SHA1
b117148d7b280c108cb1c998cbb4a84653f64214

SHA256
625869a2e3842174973a043acc3828276ec2d0071007c7cf7940c44254d6a0ac

SHA512
fb8a41a28f22a28252bef0a4b33b041e7a2f774e85625f8818161a100c0a68dc872a9304ccfc1e4232d1e00eb324e77a00214b1bb4765a6f4ab6a18258d3e808

Download Submit
C:\Windows\SysWOW64\Jbhkngcd.exe

Filesize
92KB

MD5
96f94aa931b061f83ea5f0df37a83c30

SHA1
55b322c114f2894195e505c3793a8c8af7a63e0c

SHA256
0b4672431c399934bf3659a41596e7767a93a5137b8b2d5f13736528c4780305

SHA512
7dea648e61ec7355ba17aaf8463085e4f01737a66c96d1e5c508138549095f4cbc2193c017d5d0e5f516e496723410b08dfc784b13688bfd6d5e5380160963e0

Download Submit
C:\Windows\SysWOW64\Jbmdig32.exe

Filesize
92KB

MD5
6a0a174867fbed74211a79dd6f5153a7

SHA1
2ea954e92e421378f9d612ceb6095d84ad9ded81

SHA256
5cb4ab747e56a1e8233df707d8dcd217337a642d4872060558c02c7cf2f80d8e

SHA512
33ef3cd8ab954eae6026619940c3d515b6559c271a6fc6fdc887bec0d5815874d59cfac30111f4e765e8383021df25bdb3ae14a734c88bd8e74117c70f8bbbb6

Download Submit
C:\Windows\SysWOW64\Jchhhjjg.exe

Filesize
92KB

MD5
70383ac94904e3993cc76069e7d154ca

SHA1
9a8c885ec37261a43526124b10ae5f9e3912afa4

SHA256
309d1debb7283139cb9215115e2a5a2260ec04391490e6cb95e60a26b8a26eb9

SHA512
64571bc748907544ca16829b19a42bc4bf5833fc9e6888ba79a74cb27a367fafa8109027315f998934eb646fe61761cabd1b699a0f9266e1d650cb1ada0c9d18

Download Submit
C:\Windows\SysWOW64\Jgljfmkd.exe

Filesize
92KB

MD5
10a732d76df5bcd34f76958c2ceb0402

SHA1
9d6d45be2d7f8ba74c130f962be01af2be212cdd

SHA256
b8f08e235e86ca027ae660279457626fa356ce949fb2a93f2b51b095a6b5b3d9

SHA512
bbea98b2112200447038d54385b97bc74dd401e50d7bf3cd3c71394d29828c44003b3b95f101444b9f608f248cddf13b9bd3be761f282bf86581a4ca5bdec4a1

Download Submit
C:\Windows\SysWOW64\Jkeialfp.exe

Filesize
92KB

MD5
b5e118e670e0433e79a907635e29723d

SHA1
764461f866867a5bcb00d017492e9e0c355826cc

SHA256
0cbd5516db5c8547974c0ccd02adc13a40974987ecbbe6e5413c7890fb20b7b8

SHA512
ed943e2d6d3e651b718f299ed600cd90ce4e06d3d9a937a83f31df83675cf2904e679a56d7ef25b74a21e59259e895fa707fdfbfc92b211eb7b1818dbc076ef8

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
92KB

MD5
52fca3c00f4ae0e31aed423be1e8052c

SHA1
4bce1ff3b09a1a8bd00e57816071b1d61b9a4f45

SHA256
d441a12936b61bf8312a52b2300480c8420e75bfbbb75778b7e59bc26b3228a6

SHA512
2144bdec4e26da109f8f3f4468fe8128bce6f177bc68ff66192a5719d4f8d7363efedf0ea3c0a0ac847acf4926a0c24a1f90dff2f2a83e9ea7ea49b36f4439df

Download Submit
C:\Windows\SysWOW64\Kbmahjbk.exe

Filesize
92KB

MD5
dbe8dc0ec1d110fcf8dc9c274001cd6a

SHA1
0e81893b88c6f12511b8b33fbfb7b923f6f6827b

SHA256
35cef96a4139ba238d16da9ba7a4135527cbbc312a4fa71b484edb5da9afdf64

SHA512
9e4f1e8ecacc121256892f421c4dc8d28af35c61313f72500560fdab62f29a66bf2f6c636e752ee422a20d8d88cbee1017aa7b51609d0ed28bf5f3c18320ab61

Download Submit
C:\Windows\SysWOW64\Kebgea32.exe

Filesize
92KB

MD5
cd7eee258c06192054d3839d280ef668

SHA1
674bbb7158981435e50023adb4332ef57b8ce077

SHA256
577d5a8ac5c9af34acb2a728d589d33cbedaa6e30bb3d73ad7963dd10eb03521

SHA512
150d084e4317ec2c73658e5e3bf8f562d48f441fba016195d0f47beaf20a64a0ffd8c1ec4ab25253f45c35f19eaafc6df3898ab38072d15c6744218749245147

Download Submit
C:\Windows\SysWOW64\Kleeqp32.exe

Filesize
92KB

MD5
2b1761534c71be1dedaacf34bb7770d1

SHA1
25ee9cee66cafff8ef9097e1dc65458e6ca5c66f

SHA256
037c96e83a56aa8efee98f39c67f7782f87a20a9b7d7b67d1c90722022721c5a

SHA512
b2252d20f13903dfa72cc2f72241b32415d95c25fe876c22a3962cb21a3c4c56751033cc29f1d7a113623f6f56161fc19478474c204d627c7c9d93fd31facfbf

Download Submit
C:\Windows\SysWOW64\Knkkngol.exe

Filesize
92KB

MD5
d0a08ca7809aba0bc8d5f220f2aa24b1

SHA1
210513048932fabee587188df3217f979715c08a

SHA256
102e7c342db4043d92d1e31c46d95cac45684c58dcb0f450b5b867b7a077bcfb

SHA512
5d4188efac37dd2a436fad80896ce939614025b21a1a0d45bea4452cbb69e6a44c1e1f6b4e884c080369044feea70d1e5b467b4031373ca46d3182f6493c0823

Download Submit
C:\Windows\SysWOW64\Kpcngnob.exe

Filesize
92KB

MD5
6e871caaddd496968e465d23aecb4ce7

SHA1
cadb135ad0c3c9ebfcae70f201782558a18b26b3

SHA256
12b5d75513fbe58aee1dd5df81b35a19d32ebb4187df3fce9a46fb21891e6a7d

SHA512
b7a695475d2542303adb430b03c9d5e9abce189d568e08641730c84fa24a7ae33ff26056a304042516d24be2f89fad5142483add372d437d47b849330464f3bd

Download Submit
C:\Windows\SysWOW64\Ldljqpli.exe

Filesize
92KB

MD5
0b304b61e027d8ff1a6292b522ba6ae9

SHA1
30b0c10783f7a1fe1a8a23482a08ce8943af968b

SHA256
fb1f43bd7b972efdf87bf8279f708ac42263d70ad16a544636e806ef7acab05d

SHA512
044d60745797b00d4937dffa78af2e3b6de6f76ca981d5818359c97944727ca7e318dd57c798cc63efd3a00b2927e536b02a3d0b9ff283a2021653db024ecb8b

Download Submit
C:\Windows\SysWOW64\Lelnjj32.dll

Filesize
7KB

MD5
b32d7775e75bd2314e3d45d89af9deb9

SHA1
296606792954a5b782e55f495cefeaa0afa6699f

SHA256
258732b872d743bbed25e91f48c31b651da1df7bc453652527f1a4c78a170628

SHA512
bdbc804987d7520b4adbee98a991d2f9b326257d725e045ffb01399e434ed30f69eacf758ca591de3274d4371ce17924b4949b762ad297f061d86423a6715ba6

Download Submit
C:\Windows\SysWOW64\Lheilofe.exe

Filesize
92KB

MD5
f6c7e30ddb46e67d6225daec3eef95ab

SHA1
467c2246854c9a7c5536e8ea5c7063e35f050310

SHA256
a2a19ffeef426de136e5e444e7ac0ef1389d3d1dc915a92c52c3085a3774b5b3

SHA512
0e2d13d9347dde062fef2942a3ec6deed24de5d0404d1a98020081cc6911089b92cb35a7f7474c785b87d20ec0704bd6223f08511886089c7515d2c9bf4c8eec

Download Submit
C:\Windows\SysWOW64\Llnhgn32.exe

Filesize
92KB

MD5
092841b5a5c7362a14278bfcb92e4fd5

SHA1
dde492a5e4ae8dd8a231774bb2f3be89677b8c5f

SHA256
d3db11244b7cd6f67c564811fdf4b37ca4393a8a8538a2798e0b8cb49d260ea6

SHA512
dc090e695a4007682d8b5e9281ad5b8d8a6eca711cfa343215649d0fb809e69936e4d44a4a2e473650568a976e43dc1517edb4b47516197abf8c36130a047fab

Download Submit
C:\Windows\SysWOW64\Looahi32.exe

Filesize
92KB

MD5
5e83ed554780598c747f9498d5af77ef

SHA1
bd8f6e1221f9f3d9faf014f145e5df3ed59e9e54

SHA256
eb4efeb92c257226972df3fcdea443a13a537be8bab6fffc6ff9ece908e16f3c

SHA512
1ad4b1cd90897d3b293f5c4f324dc738f737fb4ff7659852ce5b04afac8e501988e1965dc1324d35065f4d7d5089c516e6c2e7e66b21e60ce239b57636f79e7f

Download Submit
C:\Windows\SysWOW64\Mapjjdjb.exe

Filesize
92KB

MD5
608c978b6c72a22f9aa4d77fad47e493

SHA1
0e4e1355672f8b36ad0c94767b9de87a2eaa0c33

SHA256
6d956e63df74a4869c9b8f3f1c6166755db2d42958f70ca6488accb323d5b911

SHA512
95e05b2e35058c5db0547c57a38a60189ad2c61473f706518292562ce2c944a4ac059fde4e8a702747537fe241bdaacc044cd25e547cdeaea8ae1b24b1e807a5

Download Submit
C:\Windows\SysWOW64\Mcafbm32.exe

Filesize
92KB

MD5
ddfdc0149196fc6dd3da77d2e29776e7

SHA1
be062ea7d7d75982b47ab19e7e4b0d3a459a1969

SHA256
664264f77c06f30b35983f4f930534063fbf8e0e097cfb2862e3fc18ad4f809e

SHA512
5e52545e5d7212c4f3f6d4fbb68d94c6d45cce6e24ca9acf4d9d1843911fa6d1db0e39c7811f8a009ca256f232d274657dbded4f4c5517ebd1213da33279306c

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
92KB

MD5
2d5df2663dbcec595d48f171a95159e3

SHA1
bca2084d242fed63c152efbac3afe6f380b1b459

SHA256
3e8459e9a73f1ae9af098353780b463126bd54f456309c55ff534e52472fd9d7

SHA512
3194215a0badd0f0319d5600a55448878f6eadb3e02da9009d8a7c7ca6fd7691378469f11c620779ef3f331c00a2e26cf4eceb19d9022c8e7cfb48c27dac12d1

Download Submit
C:\Windows\SysWOW64\Mpegka32.exe

Filesize
92KB

MD5
bb6c10f15995d0ef38b5e95797b1a498

SHA1
bc2a0de50f9c33be07e50ee1e6405515fb8b4603

SHA256
f2addee4730a35ab6629e9516e53d6049d6e4f81a41a3dd6e9f905e05d5c7627

SHA512
f3c4f4ed7522d1c0ff84ee9a990d23e50892ed9e2e12b04c7314c29dcc75b47960dbd06889ec85c55fb5dd6ca76a671e1b83e6e62199efde2d228ff593b8ef56

Download Submit
\Windows\SysWOW64\Dfjcncak.exe

Filesize
92KB

MD5
bb7da3d9c9a5b49400174260d8b13090

SHA1
f29e314c63eaaf5ff1c76de5a85d2ff837d98480

SHA256
5a768f2c41d9dd547a1a6ec7f50525abed099d175e8a73d91c8230613f220046

SHA512
2dfd4c226540304ade010775c6cc931bc6bfe7a41f8f71eb9b0fc0240440030fc171ffac0b5c6c50fdcbb97dd40d90040bfa6eca2429396b9e2d851adf97ec67

Download Submit
\Windows\SysWOW64\Dflpdb32.exe

Filesize
92KB

MD5
f247fe73d7b4041577035656b0067b11

SHA1
bc5a1b18660df5a158dd16afe0e092c335758ad5

SHA256
33eb038aab67bbdc25eb665494d5d78de39517f1ca95e5c4dcd05769bb09141d

SHA512
0070318a2b20051b6661b9f3a15009b2e7824eb20b9a27a494a6231a67e226bfc9c98b59af2f119a2c462db505b3e3fc8c1df967e9f2fb5691c128304dc02041

Download Submit
\Windows\SysWOW64\Dpedmhfi.exe

Filesize
92KB

MD5
6402d6ed419ccbbd6a8eb97e7abb2d22

SHA1
a9b61db931580647c1c06ef0faa3e01b9580c1f3

SHA256
f9f854578872132243fdd27ba07f88b0c2d6b08627c3d7718675586cd50098bb

SHA512
5656ee748d25142ed990a59331cf29efc8b8f0fceb3fb5de133489acd9256c2b6aee9c27ed3ac27054ddbebe56f9a00dbbe3af36293693e9c0fb18eb01d49c07

Download Submit
\Windows\SysWOW64\Ehgoaiml.exe

Filesize
92KB

MD5
2963975b8bdbe44c20755db9237c69be

SHA1
77b22095a80ee59fd24183625fad545c83534d6a

SHA256
82b172132d98d6b24ded51dc26e2698cb44986ca6d492b441f2540db3f3d42f2

SHA512
1fd2fd629b593f83e994b073041724f380c121aa3fa08156709b40022b34c8d047396ae4185619c24396322163ae2abe191caf4d237f2bc4301ae73954583a77

Download Submit
\Windows\SysWOW64\Elpnmhgh.exe

Filesize
92KB

MD5
4c494d985aeea91196429562297b2d76

SHA1
45d82e8a5ff2cbfb6bf29d85ea92ce75a2d62ee8

SHA256
f69cc6f9ccf9e2701c6a6744b81b426b43dd6cf4830fb1758ecaf6e6ea1d2aa1

SHA512
414734eb7a15262c895b6da8fb2ca1750a19970745d652398e0a5e506914402c84f8a48d24cc54e0526965aeddbf0e69470a765982cfba0677efc0258f7512f7

Download Submit
\Windows\SysWOW64\Emdgjpkd.exe

Filesize
92KB

MD5
d5c925e2104956a2d276420f9108516c

SHA1
0d042890b7b29f53d42e1d892e05cc6c048d20e3

SHA256
d2d01702a0722c5544b826fb8bb0102628b0b3a86cbfa70d1aaedf52364e215b

SHA512
e0bb4797361749754925451c993b6c477c332bd3ceb6a94ee4f362ccbe1cf3e98652046cd8807450e1531dc0a8c275cbcf10a8ff391072a6fa690710f3f2ded4

Download Submit
\Windows\SysWOW64\Enjand32.exe

Filesize
92KB

MD5
86a0c76d4c06c1a82435e11c6e6de115

SHA1
5857d420d83785139ee53610d2f7d71c5a8c561b

SHA256
615c650ba2641f9ea2ad48a59bbe794a38890e7ebd2b03cf33ffae300bd42ffc

SHA512
196f2232b4447b8dfb1aca4074e5f955e1e24bbbe72b2c60dc89cb25fd5d6e41064aee648f34e8c03d0ae2b98ea1c497024dd52d196f21c77c02422bf6f80d9c

Download Submit
\Windows\SysWOW64\Epinhg32.exe

Filesize
92KB

MD5
f94632e3c85094b291d3c9050f94e1fc

SHA1
06ac11367ed5929e818d366fb7babbb40bfe308c

SHA256
6b1037540bbf5c87370737aaa62e2d5745a2ebbce04f44c33c9b5453b9b5f0e8

SHA512
2d4e81112c6ede5fd541b80de3e82763bb36839de8cbdb00532b952de4109732479e7435e64fae2e97be5050ddffaf607e6afa58cbf64b9336515e0fb916b379

Download Submit
\Windows\SysWOW64\Fabppo32.exe

Filesize
92KB

MD5
0f85603cfeb547faf34bb98e9b5afadb

SHA1
abfbabc0d31e9d803c15f82f1609a79061949d32

SHA256
6aee0b9a6f5e676d9716839f52de3d216e2069992a31eb606b2ef8b1b542ea78

SHA512
6415940212ed71e548a249c402bfe13a635c36a0d5b6a2548e6aa9fcbdc520fb28d688a485e2c6a7f45f446a3b90eb5c8c27e4716049fa748d42298f2cbc929e

Download Submit
\Windows\SysWOW64\Fehodaqd.exe

Filesize
92KB

MD5
378597d4550ad5d22ecd579192367335

SHA1
6542b7337f3cbaa12c0d698efbe4d6591eb4adb2

SHA256
f990e122dd1d756a517018ec3efb8635041b5bdf1a36dd0ee3825821763bab48

SHA512
2e4e8843f180a62735be480134d584f08645621ff3394f99ee007f7ae214059badb5bda90c9b6a95c16d332377b1f4364f510df722d9b9e6bb1d3d083ceb858c

Download Submit
\Windows\SysWOW64\Ffaeneno.exe

Filesize
92KB

MD5
2d6d2cd4a971a3b156d3212318f66e39

SHA1
66a35e4b694b9dbd3b7ff7cb2c67acb623803124

SHA256
9d4baee7e871bc5e9c5fefa7d0d1d229b10169e2f018a913c459c2b141565999

SHA512
118ceba0195ca49d7b05a3991fab0650c97e066b383b4c117af67fdd94103c47ff7b1db7c0e06eee4e6d9d598dcadd9aa0679a8af1c9ec7a6c81ef2797baa438

Download Submit
\Windows\SysWOW64\Fimedaoe.exe

Filesize
92KB

MD5
c4bd94bec395bc706fc81d24a912a08a

SHA1
7d1317e95f20f807c2e2cf77cb0f3820ce022c34

SHA256
12617bef9278d56af713cb916b02b5a5c52db78c35927dffe9e08490e7cfbb11

SHA512
11c58aa1e9c937537de800679822a76e9fca3d59861f6513c885b923dd884329d1e7217d5d7b5304d2fdf1fa0c93b2d04b2903b623ea4a2ec6c29e9e0bcee285

Download Submit
\Windows\SysWOW64\Gbolce32.exe

Filesize
92KB

MD5
d02996f8878ff5bf93b7d549818c586f

SHA1
8f1a7f6128fa3fc43cd431c8937780480e35cafd

SHA256
4571fa56d3024b4d97dbae2d332e4af9d72505c166ce8d0fc819a3452f59d416

SHA512
824f1715f345df788b953975f13282063c50a55bb4a69c0b5881355d8c0f5d01a6ba08bae8d25d6e0123fb0d9994163699a90fd277383e9ebd336685798723c5

Download Submit
\Windows\SysWOW64\Gdbeqmag.exe

Filesize
92KB

MD5
f7cf3eda3a5c5eb39fba83261c644e78

SHA1
b784dfe5a72f3493deecb2598247a99cc47bd817

SHA256
83b6b5d6a70b4820c6998dd61809b89600088cef1e21b45cc71b964e68cf43c6

SHA512
58e204815a5f922b2f1836b79c10236387af28c54914a9056688bfd56de6077bafe5ffabaf69e023f033091311ee89e62bc94840d16dae13e35820cf3ad0895e

Download Submit
\Windows\SysWOW64\Gifhkpgk.exe

Filesize
92KB

MD5
59b35dd4d6fd837643c02b5a432c124b

SHA1
06d1fe35fd67563d56021c67b2b6a4ad63219c12

SHA256
b443c90320a42f4f8ea43ab34b4d7f1fc87e2fc8da2e4dc78ffa7ed5ef4f5d52

SHA512
25a54d646a258407726e4452cc91b83087c59f5251d7dcd9efe1a4715e86b96f78d6dd89fec65616f35245106e61b8ec33ece133bab9856ee1e7aa7f274b8c61

Download Submit
memory/856-267-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/856-266-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/856-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1204-292-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1204-296-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1204-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-474-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-475-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1376-476-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1560-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-442-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1592-328-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1592-332-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1592-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-322-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1620-320-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1620-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-419-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1632-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-171-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1664-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-86-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1732-228-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/1732-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-307-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1792-303-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1792-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-252-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1804-251-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1956-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-429-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1980-435-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1980-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-145-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2092-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-144-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2116-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-412-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2224-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-241-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2248-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-468-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2252-470-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2288-46-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2288-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-367-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2304-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-11-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2304-12-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2304-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-487-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2468-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-273-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2468-274-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2516-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-206-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2540-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-353-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2540-354-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2588-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-125-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2592-591-0x0000000077170000-0x000000007726A000-memory.dmp

Filesize
1000KB

Download
memory/2592-310-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2592-590-0x0000000077050000-0x000000007716F000-memory.dmp

Filesize
1.1MB

Download
memory/2592-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-309-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2628-288-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2628-284-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2628-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-72-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2676-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-103-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2744-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-361-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2808-365-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2808-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-377-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2860-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-430-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/2920-60-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/2920-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-461-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3008-463-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3008-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-342-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3016-343-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3020-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download