berbew | 47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Size

378KB
MD5

bb16fbc9b6cd48209fa867d6a348ec33
SHA1

0e8aaa86ab4dd4aedf0883ef4a6f7b4a51218d4f
SHA256

47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112
SHA512

635647b2a73e7365c33fab24f7740d3206e573109f89b97a68315424b87b21dc9733c4006788567a640a1e7416ae22907aaa76bb92d4b216fd06f671e37af29b
SSDEEP

6144:9oi2WIIrYtBEdeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42Gp:ii2WIR8deYr75lTefkY660fIaDZkY66E

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kceganoe.exeKcgdgnmc.exeLlnhgn32.exeLooahi32.exeMapjjdjb.exeKnhoig32.exeLkahbkgk.exeJkjbml32.exeKmdbkbpn.exeLbfdnijp.exeMdnffpif.exeLohkhjcj.exeLhgeao32.exeKakdpb32.exeKpqaanqd.exeKlgbfo32.exeKofnbk32.exeJboanfmm.exeJkgfgl32.exeLepfoe32.exeMikooghn.exeJgjman32.exeKjdiigbm.exeKbonmjph.exeJoaebkni.exeKbmahjbk.exeLkolmk32.exeJnfbcg32.exeKmbeecaq.exeLhnckp32.exeLedpjdid.exeMlikkbga.exeKmnljc32.exeMinldf32.exeKjalch32.exeLhqpqp32.exeLiibigjq.exe47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exeJepjpajn.exeKjopnh32.exeLebcdd32.exeJiiikq32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kceganoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcgdgnmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Looahi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkahbkgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkahbkgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkjbml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdnijp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohkhjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgeao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgbfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofnbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jboanfmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepfoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mikooghn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepfoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjman32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcgdgnmc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joaebkni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmahjbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohkhjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkolmk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnfbcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmbeecaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlikkbga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbfdnijp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Minldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlikkbga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjalch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqpqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liibigjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnffpif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkjbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebcdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Looahi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jboanfmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnfbcg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 45 IoCs

Processes:

Jgjman32.exeJoaebkni.exeJboanfmm.exeJiiikq32.exeJkgfgl32.exeJnfbcg32.exeJepjpajn.exeJkjbml32.exeKnhoig32.exeKceganoe.exeKjopnh32.exeKmnljc32.exeKcgdgnmc.exeKjalch32.exeKakdpb32.exeKbmahjbk.exeKjdiigbm.exeKmbeecaq.exeKpqaanqd.exeKbonmjph.exeKmdbkbpn.exeKlgbfo32.exeKofnbk32.exeLepfoe32.exeLhnckp32.exeLohkhjcj.exeLebcdd32.exeLhqpqp32.exeLkolmk32.exeLbfdnijp.exeLedpjdid.exeLlnhgn32.exeLkahbkgk.exeLakqoe32.exeLooahi32.exeLhgeao32.exeLiibigjq.exeMapjjdjb.exeMdnffpif.exeMkhocj32.exeMikooghn.exeMlikkbga.exeMgoohk32.exeMinldf32.exeMllhpb32.exe

pid	process
788	Jgjman32.exe
2696	Joaebkni.exe
2864	Jboanfmm.exe
2828	Jiiikq32.exe
2724	Jkgfgl32.exe
2620	Jnfbcg32.exe
2428	Jepjpajn.exe
1032	Jkjbml32.exe
1228	Knhoig32.exe
2040	Kceganoe.exe
2296	Kjopnh32.exe
2932	Kmnljc32.exe
2060	Kcgdgnmc.exe
1136	Kjalch32.exe
2976	Kakdpb32.exe
2468	Kbmahjbk.exe
2768	Kjdiigbm.exe
1880	Kmbeecaq.exe
2996	Kpqaanqd.exe
1480	Kbonmjph.exe
1844	Kmdbkbpn.exe
1872	Klgbfo32.exe
276	Kofnbk32.exe
2092	Lepfoe32.exe
2400	Lhnckp32.exe
2088	Lohkhjcj.exe
2652	Lebcdd32.exe
2896	Lhqpqp32.exe
2132	Lkolmk32.exe
1740	Lbfdnijp.exe
1824	Ledpjdid.exe
2056	Llnhgn32.exe
1124	Lkahbkgk.exe
936	Lakqoe32.exe
2484	Looahi32.exe
1200	Lhgeao32.exe
1504	Liibigjq.exe
1220	Mapjjdjb.exe
2140	Mdnffpif.exe
2848	Mkhocj32.exe
2892	Mikooghn.exe
2460	Mlikkbga.exe
2408	Mgoohk32.exe
3028	Minldf32.exe
1244	Mllhpb32.exe

Loads dropped DLL 64 IoCs

Processes:

47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exeJgjman32.exeJoaebkni.exeJboanfmm.exeJiiikq32.exeJkgfgl32.exeJnfbcg32.exeJepjpajn.exeJkjbml32.exeKnhoig32.exeKceganoe.exeKjopnh32.exeKmnljc32.exeKcgdgnmc.exeKjalch32.exeKakdpb32.exeKbmahjbk.exeKjdiigbm.exeKmbeecaq.exeKpqaanqd.exeKbonmjph.exeKmdbkbpn.exeKlgbfo32.exeKofnbk32.exeLepfoe32.exeLhnckp32.exeLohkhjcj.exeLebcdd32.exeLhqpqp32.exeLkolmk32.exeLbfdnijp.exeLedpjdid.exe

pid	process
2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
788	Jgjman32.exe
788	Jgjman32.exe
2696	Joaebkni.exe
2696	Joaebkni.exe
2864	Jboanfmm.exe
2864	Jboanfmm.exe
2828	Jiiikq32.exe
2828	Jiiikq32.exe
2724	Jkgfgl32.exe
2724	Jkgfgl32.exe
2620	Jnfbcg32.exe
2620	Jnfbcg32.exe
2428	Jepjpajn.exe
2428	Jepjpajn.exe
1032	Jkjbml32.exe
1032	Jkjbml32.exe
1228	Knhoig32.exe
1228	Knhoig32.exe
2040	Kceganoe.exe
2040	Kceganoe.exe
2296	Kjopnh32.exe
2296	Kjopnh32.exe
2932	Kmnljc32.exe
2932	Kmnljc32.exe
2060	Kcgdgnmc.exe
2060	Kcgdgnmc.exe
1136	Kjalch32.exe
1136	Kjalch32.exe
2976	Kakdpb32.exe
2976	Kakdpb32.exe
2468	Kbmahjbk.exe
2468	Kbmahjbk.exe
2768	Kjdiigbm.exe
2768	Kjdiigbm.exe
1880	Kmbeecaq.exe
1880	Kmbeecaq.exe
2996	Kpqaanqd.exe
2996	Kpqaanqd.exe
1480	Kbonmjph.exe
1480	Kbonmjph.exe
1844	Kmdbkbpn.exe
1844	Kmdbkbpn.exe
1872	Klgbfo32.exe
1872	Klgbfo32.exe
276	Kofnbk32.exe
276	Kofnbk32.exe
2092	Lepfoe32.exe
2092	Lepfoe32.exe
2400	Lhnckp32.exe
2400	Lhnckp32.exe
2088	Lohkhjcj.exe
2088	Lohkhjcj.exe
2652	Lebcdd32.exe
2652	Lebcdd32.exe
2896	Lhqpqp32.exe
2896	Lhqpqp32.exe
2132	Lkolmk32.exe
2132	Lkolmk32.exe
1740	Lbfdnijp.exe
1740	Lbfdnijp.exe
1824	Ledpjdid.exe
1824	Ledpjdid.exe

Drops file in System32 directory 64 IoCs

Processes:

Jiiikq32.exeKbonmjph.exeLkahbkgk.exeMdnffpif.exeKjalch32.exeKpqaanqd.exeKofnbk32.exeLooahi32.exeKnhoig32.exeLebcdd32.exeLkolmk32.exeLedpjdid.exeMkhocj32.exeJnfbcg32.exeKceganoe.exeMikooghn.exeJkgfgl32.exeKjopnh32.exeKmnljc32.exeKcgdgnmc.exeKlgbfo32.exeLepfoe32.exeMgoohk32.exe47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exeJboanfmm.exeKmbeecaq.exeJepjpajn.exeLohkhjcj.exeLlnhgn32.exeLiibigjq.exeJgjman32.exeJkjbml32.exeLhqpqp32.exeKbmahjbk.exeKjdiigbm.exeLhnckp32.exeLhgeao32.exeLakqoe32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Jkgfgl32.exe	Jiiikq32.exe
File created	C:\Windows\SysWOW64\Mpfogm32.dll	Kbonmjph.exe
File opened for modification	C:\Windows\SysWOW64\Lakqoe32.exe	Lkahbkgk.exe
File opened for modification	C:\Windows\SysWOW64\Mkhocj32.exe	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Kakdpb32.exe	Kjalch32.exe
File created	C:\Windows\SysWOW64\Cedabe32.dll	Kpqaanqd.exe
File created	C:\Windows\SysWOW64\Dopnodpc.dll	Kofnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgeao32.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Lbkcpa32.dll	Knhoig32.exe
File created	C:\Windows\SysWOW64\Kbonmjph.exe	Kpqaanqd.exe
File created	C:\Windows\SysWOW64\Kdebqe32.dll	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Lbfdnijp.exe	Lkolmk32.exe
File created	C:\Windows\SysWOW64\Pmeocnah.dll	Ledpjdid.exe
File created	C:\Windows\SysWOW64\Emhqjkjh.dll	Lkolmk32.exe
File opened for modification	C:\Windows\SysWOW64\Mikooghn.exe	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Jepjpajn.exe	Jnfbcg32.exe
File opened for modification	C:\Windows\SysWOW64\Kjopnh32.exe	Kceganoe.exe
File opened for modification	C:\Windows\SysWOW64\Mlikkbga.exe	Mikooghn.exe
File created	C:\Windows\SysWOW64\Jnfbcg32.exe	Jkgfgl32.exe
File created	C:\Windows\SysWOW64\Ikcakg32.dll	Kjopnh32.exe
File created	C:\Windows\SysWOW64\Kcgdgnmc.exe	Kmnljc32.exe
File opened for modification	C:\Windows\SysWOW64\Kjalch32.exe	Kcgdgnmc.exe
File opened for modification	C:\Windows\SysWOW64\Kofnbk32.exe	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Gdljncel.dll	Lepfoe32.exe
File created	C:\Windows\SysWOW64\Ebkbpapg.dll	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Ahdocnod.dll	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Hjegbfin.dll	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
File created	C:\Windows\SysWOW64\Jiiikq32.exe	Jboanfmm.exe
File opened for modification	C:\Windows\SysWOW64\Kpqaanqd.exe	Kmbeecaq.exe
File created	C:\Windows\SysWOW64\Kofnbk32.exe	Klgbfo32.exe
File created	C:\Windows\SysWOW64\Lepfoe32.exe	Kofnbk32.exe
File created	C:\Windows\SysWOW64\Lhqpqp32.exe	Lebcdd32.exe
File created	C:\Windows\SysWOW64\Minldf32.exe	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Ifdlmglb.dll	Jepjpajn.exe
File opened for modification	C:\Windows\SysWOW64\Kcgdgnmc.exe	Kmnljc32.exe
File created	C:\Windows\SysWOW64\Lhnckp32.exe	Lepfoe32.exe
File created	C:\Windows\SysWOW64\Jcgjno32.dll	Lohkhjcj.exe
File opened for modification	C:\Windows\SysWOW64\Lkahbkgk.exe	Llnhgn32.exe
File created	C:\Windows\SysWOW64\Hfcncl32.dll	Liibigjq.exe
File created	C:\Windows\SysWOW64\Mkhocj32.exe	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Aljcblpk.dll	Jgjman32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnljc32.exe	Kjopnh32.exe
File opened for modification	C:\Windows\SysWOW64\Lbfdnijp.exe	Lkolmk32.exe
File opened for modification	C:\Windows\SysWOW64\Minldf32.exe	Mgoohk32.exe
File opened for modification	C:\Windows\SysWOW64\Jgjman32.exe	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
File created	C:\Windows\SysWOW64\Klkegf32.dll	Jkjbml32.exe
File opened for modification	C:\Windows\SysWOW64\Lkolmk32.exe	Lhqpqp32.exe
File opened for modification	C:\Windows\SysWOW64\Jnfbcg32.exe	Jkgfgl32.exe
File created	C:\Windows\SysWOW64\Dgeoapde.dll	Kceganoe.exe
File created	C:\Windows\SysWOW64\Kjdiigbm.exe	Kbmahjbk.exe
File created	C:\Windows\SysWOW64\Jkjbml32.exe	Jepjpajn.exe
File opened for modification	C:\Windows\SysWOW64\Kmbeecaq.exe	Kjdiigbm.exe
File created	C:\Windows\SysWOW64\Lohkhjcj.exe	Lhnckp32.exe
File created	C:\Windows\SysWOW64\Lebcdd32.exe	Lohkhjcj.exe
File created	C:\Windows\SysWOW64\Ijgkkd32.dll	Lhgeao32.exe
File created	C:\Windows\SysWOW64\Kkaick32.dll	Jiiikq32.exe
File created	C:\Windows\SysWOW64\Kpfenk32.dll	Jkgfgl32.exe
File created	C:\Windows\SysWOW64\Kmdbkbpn.exe	Kbonmjph.exe
File opened for modification	C:\Windows\SysWOW64\Lohkhjcj.exe	Lhnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Llnhgn32.exe	Ledpjdid.exe
File created	C:\Windows\SysWOW64\Looahi32.exe	Lakqoe32.exe
File created	C:\Windows\SysWOW64\Phfjkcad.dll	Lkahbkgk.exe
File created	C:\Windows\SysWOW64\Mapjjdjb.exe	Liibigjq.exe
File created	C:\Windows\SysWOW64\Mlikkbga.exe	Mikooghn.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

3000 1244 WerFault.exe

pid	pid_target	process
3000	1244	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Kmbeecaq.exeKmdbkbpn.exeLohkhjcj.exeLkahbkgk.exeLhgeao32.exeMikooghn.exeMgoohk32.exe47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exeKjopnh32.exeKcgdgnmc.exeLlnhgn32.exeMdnffpif.exeJkgfgl32.exeKmnljc32.exeKakdpb32.exeLepfoe32.exeKnhoig32.exeKjalch32.exeLedpjdid.exeMinldf32.exeJgjman32.exeJnfbcg32.exeKlgbfo32.exeKofnbk32.exeLiibigjq.exeMkhocj32.exeMlikkbga.exeMllhpb32.exeLakqoe32.exeJboanfmm.exeJiiikq32.exeKceganoe.exeKbmahjbk.exeKjdiigbm.exeKpqaanqd.exeLbfdnijp.exeMapjjdjb.exeJoaebkni.exeJkjbml32.exeKbonmjph.exeLhnckp32.exeLkolmk32.exeJepjpajn.exeLebcdd32.exeLhqpqp32.exeLooahi32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmbeecaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdbkbpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohkhjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkahbkgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgeao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mikooghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjopnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcgdgnmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnhgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnffpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgfgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmnljc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepfoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjalch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledpjdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minldf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjman32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnfbcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgbfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibigjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhocj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlikkbga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakqoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jboanfmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiiikq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kceganoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmahjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdiigbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqaanqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdnijp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjjdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joaebkni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkjbml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbonmjph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkolmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjpajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebcdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqpqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Looahi32.exe

Modifies registry class 64 IoCs

Processes:

47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exeJkgfgl32.exeKmnljc32.exeLbfdnijp.exeMdnffpif.exeJboanfmm.exeKjopnh32.exeKakdpb32.exeKjdiigbm.exeLhqpqp32.exeMkhocj32.exeKbonmjph.exeLohkhjcj.exeKlgbfo32.exeKofnbk32.exeLhnckp32.exeLakqoe32.exeLooahi32.exeKcgdgnmc.exeKbmahjbk.exeKmbeecaq.exeLlnhgn32.exeLhgeao32.exeMikooghn.exeJkjbml32.exeKnhoig32.exeLiibigjq.exeKceganoe.exeKjalch32.exeLkolmk32.exeJgjman32.exeLkahbkgk.exeMgoohk32.exeKmdbkbpn.exeLedpjdid.exeJepjpajn.exeMinldf32.exeJiiikq32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcohg32.dll"	Kmnljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmij32.dll"	Lbfdnijp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdnffpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jboanfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpbaoe.dll"	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkdcib.dll"	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhqpqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkhocj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgjno32.dll"	Lohkhjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phddjlme.dll"	Lhqpqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjdiigbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhoebi.dll"	Mkhocj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejff32.dll"	Klgbfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kofnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll"	Lhnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lakqoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmigep32.dll"	Kcgdgnmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmahjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmbeecaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mikooghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjegbfin.dll"	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkjbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfogm32.dll"	Kbonmjph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbii32.dll"	Kbmahjbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liibigjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfenk32.dll"	Jkgfgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kceganoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll"	Kjalch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkolmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmgcb32.dll"	Kmbeecaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgbfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljcblpk.dll"	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdnffpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmghlppm.dll"	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcncl32.dll"	Liibigjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkjbml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llnhgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godaagfg.dll"	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmahjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jepjpajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkahbkgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfjkcad.dll"	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkhocj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Minldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaick32.dll"	Jiiikq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kakdpb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2524 wrote to memory of 788	2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe	Jgjman32.exe
PID 2524 wrote to memory of 788	2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe	Jgjman32.exe
PID 2524 wrote to memory of 788	2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe	Jgjman32.exe
PID 2524 wrote to memory of 788	2524	47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe	Jgjman32.exe
PID 788 wrote to memory of 2696	788	Jgjman32.exe	Joaebkni.exe
PID 788 wrote to memory of 2696	788	Jgjman32.exe	Joaebkni.exe
PID 788 wrote to memory of 2696	788	Jgjman32.exe	Joaebkni.exe
PID 788 wrote to memory of 2696	788	Jgjman32.exe	Joaebkni.exe
PID 2696 wrote to memory of 2864	2696	Joaebkni.exe	Jboanfmm.exe
PID 2696 wrote to memory of 2864	2696	Joaebkni.exe	Jboanfmm.exe
PID 2696 wrote to memory of 2864	2696	Joaebkni.exe	Jboanfmm.exe
PID 2696 wrote to memory of 2864	2696	Joaebkni.exe	Jboanfmm.exe
PID 2864 wrote to memory of 2828	2864	Jboanfmm.exe	Jiiikq32.exe
PID 2864 wrote to memory of 2828	2864	Jboanfmm.exe	Jiiikq32.exe
PID 2864 wrote to memory of 2828	2864	Jboanfmm.exe	Jiiikq32.exe
PID 2864 wrote to memory of 2828	2864	Jboanfmm.exe	Jiiikq32.exe
PID 2828 wrote to memory of 2724	2828	Jiiikq32.exe	Jkgfgl32.exe
PID 2828 wrote to memory of 2724	2828	Jiiikq32.exe	Jkgfgl32.exe
PID 2828 wrote to memory of 2724	2828	Jiiikq32.exe	Jkgfgl32.exe
PID 2828 wrote to memory of 2724	2828	Jiiikq32.exe	Jkgfgl32.exe
PID 2724 wrote to memory of 2620	2724	Jkgfgl32.exe	Jnfbcg32.exe
PID 2724 wrote to memory of 2620	2724	Jkgfgl32.exe	Jnfbcg32.exe
PID 2724 wrote to memory of 2620	2724	Jkgfgl32.exe	Jnfbcg32.exe
PID 2724 wrote to memory of 2620	2724	Jkgfgl32.exe	Jnfbcg32.exe
PID 2620 wrote to memory of 2428	2620	Jnfbcg32.exe	Jepjpajn.exe
PID 2620 wrote to memory of 2428	2620	Jnfbcg32.exe	Jepjpajn.exe
PID 2620 wrote to memory of 2428	2620	Jnfbcg32.exe	Jepjpajn.exe
PID 2620 wrote to memory of 2428	2620	Jnfbcg32.exe	Jepjpajn.exe
PID 2428 wrote to memory of 1032	2428	Jepjpajn.exe	Jkjbml32.exe
PID 2428 wrote to memory of 1032	2428	Jepjpajn.exe	Jkjbml32.exe
PID 2428 wrote to memory of 1032	2428	Jepjpajn.exe	Jkjbml32.exe
PID 2428 wrote to memory of 1032	2428	Jepjpajn.exe	Jkjbml32.exe
PID 1032 wrote to memory of 1228	1032	Jkjbml32.exe	Knhoig32.exe
PID 1032 wrote to memory of 1228	1032	Jkjbml32.exe	Knhoig32.exe
PID 1032 wrote to memory of 1228	1032	Jkjbml32.exe	Knhoig32.exe
PID 1032 wrote to memory of 1228	1032	Jkjbml32.exe	Knhoig32.exe
PID 1228 wrote to memory of 2040	1228	Knhoig32.exe	Kceganoe.exe
PID 1228 wrote to memory of 2040	1228	Knhoig32.exe	Kceganoe.exe
PID 1228 wrote to memory of 2040	1228	Knhoig32.exe	Kceganoe.exe
PID 1228 wrote to memory of 2040	1228	Knhoig32.exe	Kceganoe.exe
PID 2040 wrote to memory of 2296	2040	Kceganoe.exe	Kjopnh32.exe
PID 2040 wrote to memory of 2296	2040	Kceganoe.exe	Kjopnh32.exe
PID 2040 wrote to memory of 2296	2040	Kceganoe.exe	Kjopnh32.exe
PID 2040 wrote to memory of 2296	2040	Kceganoe.exe	Kjopnh32.exe
PID 2296 wrote to memory of 2932	2296	Kjopnh32.exe	Kmnljc32.exe
PID 2296 wrote to memory of 2932	2296	Kjopnh32.exe	Kmnljc32.exe
PID 2296 wrote to memory of 2932	2296	Kjopnh32.exe	Kmnljc32.exe
PID 2296 wrote to memory of 2932	2296	Kjopnh32.exe	Kmnljc32.exe
PID 2932 wrote to memory of 2060	2932	Kmnljc32.exe	Kcgdgnmc.exe
PID 2932 wrote to memory of 2060	2932	Kmnljc32.exe	Kcgdgnmc.exe
PID 2932 wrote to memory of 2060	2932	Kmnljc32.exe	Kcgdgnmc.exe
PID 2932 wrote to memory of 2060	2932	Kmnljc32.exe	Kcgdgnmc.exe
PID 2060 wrote to memory of 1136	2060	Kcgdgnmc.exe	Kjalch32.exe
PID 2060 wrote to memory of 1136	2060	Kcgdgnmc.exe	Kjalch32.exe
PID 2060 wrote to memory of 1136	2060	Kcgdgnmc.exe	Kjalch32.exe
PID 2060 wrote to memory of 1136	2060	Kcgdgnmc.exe	Kjalch32.exe
PID 1136 wrote to memory of 2976	1136	Kjalch32.exe	Kakdpb32.exe
PID 1136 wrote to memory of 2976	1136	Kjalch32.exe	Kakdpb32.exe
PID 1136 wrote to memory of 2976	1136	Kjalch32.exe	Kakdpb32.exe
PID 1136 wrote to memory of 2976	1136	Kjalch32.exe	Kakdpb32.exe
PID 2976 wrote to memory of 2468	2976	Kakdpb32.exe	Kbmahjbk.exe
PID 2976 wrote to memory of 2468	2976	Kakdpb32.exe	Kbmahjbk.exe
PID 2976 wrote to memory of 2468	2976	Kakdpb32.exe	Kbmahjbk.exe
PID 2976 wrote to memory of 2468	2976	Kakdpb32.exe	Kbmahjbk.exe

C:\Users\Admin\AppData\Local\Temp\47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe
"C:\Users\Admin\AppData\Local\Temp\47f7b46c2d00d631632c8f0df20d9603fed744465f4accb4a310f65ac0762112.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\Jgjman32.exe
C:\Windows\system32\Jgjman32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\Joaebkni.exe
C:\Windows\system32\Joaebkni.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\Jboanfmm.exe
C:\Windows\system32\Jboanfmm.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Jiiikq32.exe
C:\Windows\system32\Jiiikq32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\Jkgfgl32.exe
C:\Windows\system32\Jkgfgl32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\Jnfbcg32.exe
C:\Windows\system32\Jnfbcg32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\Jepjpajn.exe
C:\Windows\system32\Jepjpajn.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\Jkjbml32.exe
C:\Windows\system32\Jkjbml32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\Knhoig32.exe
C:\Windows\system32\Knhoig32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\Kceganoe.exe
C:\Windows\system32\Kceganoe.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Kjopnh32.exe
C:\Windows\system32\Kjopnh32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\Kmnljc32.exe
C:\Windows\system32\Kmnljc32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\Kcgdgnmc.exe
C:\Windows\system32\Kcgdgnmc.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Kjalch32.exe
C:\Windows\system32\Kjalch32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\Kakdpb32.exe
C:\Windows\system32\Kakdpb32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\Kbmahjbk.exe
C:\Windows\system32\Kbmahjbk.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468

C:\Windows\SysWOW64\Kjdiigbm.exe
C:\Windows\system32\Kjdiigbm.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768

C:\Windows\SysWOW64\Kmbeecaq.exe
C:\Windows\system32\Kmbeecaq.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1880

C:\Windows\SysWOW64\Kpqaanqd.exe
C:\Windows\system32\Kpqaanqd.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2996

C:\Windows\SysWOW64\Kbonmjph.exe
C:\Windows\system32\Kbonmjph.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480

C:\Windows\SysWOW64\Kmdbkbpn.exe
C:\Windows\system32\Kmdbkbpn.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1844

C:\Windows\SysWOW64\Klgbfo32.exe
C:\Windows\system32\Klgbfo32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1872

C:\Windows\SysWOW64\Kofnbk32.exe
C:\Windows\system32\Kofnbk32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:276

C:\Windows\SysWOW64\Lepfoe32.exe
C:\Windows\system32\Lepfoe32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092

C:\Windows\SysWOW64\Lhnckp32.exe
C:\Windows\system32\Lhnckp32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\Lohkhjcj.exe
C:\Windows\system32\Lohkhjcj.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2088

C:\Windows\SysWOW64\Lebcdd32.exe
C:\Windows\system32\Lebcdd32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652

C:\Windows\SysWOW64\Lhqpqp32.exe
C:\Windows\system32\Lhqpqp32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896

C:\Windows\SysWOW64\Lkolmk32.exe
C:\Windows\system32\Lkolmk32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132

C:\Windows\SysWOW64\Lbfdnijp.exe
C:\Windows\system32\Lbfdnijp.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\Ledpjdid.exe
C:\Windows\system32\Ledpjdid.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824

C:\Windows\SysWOW64\Llnhgn32.exe
C:\Windows\system32\Llnhgn32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056

C:\Windows\SysWOW64\Lkahbkgk.exe
C:\Windows\system32\Lkahbkgk.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1124

C:\Windows\SysWOW64\Lakqoe32.exe
C:\Windows\system32\Lakqoe32.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:936

C:\Windows\SysWOW64\Looahi32.exe
C:\Windows\system32\Looahi32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484

C:\Windows\SysWOW64\Lhgeao32.exe
C:\Windows\system32\Lhgeao32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1200

C:\Windows\SysWOW64\Liibigjq.exe
C:\Windows\system32\Liibigjq.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1504

C:\Windows\SysWOW64\Mapjjdjb.exe
C:\Windows\system32\Mapjjdjb.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220

C:\Windows\SysWOW64\Mdnffpif.exe
C:\Windows\system32\Mdnffpif.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140

C:\Windows\SysWOW64\Mkhocj32.exe
C:\Windows\system32\Mkhocj32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848

C:\Windows\SysWOW64\Mikooghn.exe
C:\Windows\system32\Mikooghn.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892

C:\Windows\SysWOW64\Mlikkbga.exe
C:\Windows\system32\Mlikkbga.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460

C:\Windows\SysWOW64\Mgoohk32.exe
C:\Windows\system32\Mgoohk32.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2408

C:\Windows\SysWOW64\Minldf32.exe
C:\Windows\system32\Minldf32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\Mllhpb32.exe
C:\Windows\system32\Mllhpb32.exe
46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 140
47⤵
- Program crash
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jboanfmm.exe

Filesize
378KB

MD5
51f50a70bf1c293069be0068de19b435

SHA1
d57f1e808d9ed7a3ab32adbc61b86c40521d5d46

SHA256
a2d5b1777390e030833d328d8d20e20db1a38a3598712e39c9a61652bc5ed728

SHA512
96add198327f821be565068aa1e5c20591b8e60276c05e1b35ec6a570036081065833c1a2a40f2a285b474db6bfb5665289a8d816f4f13229f40d0b89061d61d

Download Submit
C:\Windows\SysWOW64\Jepjpajn.exe

Filesize
378KB

MD5
97d775d921162b1ed87bffe9ddc3f9cf

SHA1
5ddcdfa656b800c97d75f98640fdc8d86990de98

SHA256
9ac77c64d143c226239af3678f141e39133b75732c4374cb4f0aa660c86cc6cf

SHA512
4f1a0f80f4cc8c726110a80c9fd5d1930f2f18e4ee39c8fb23bc31edba7ce96d809bbbfa3e0953d303af01f6c1b1091c8e6c4902cee95dfbedc18b74b31931f3

Download Submit
C:\Windows\SysWOW64\Jgjman32.exe

Filesize
378KB

MD5
e87a2b98e992ddc262f8b507647bc9c6

SHA1
08aa94ccb5f1a8123ff86350c60e806bc606d9a3

SHA256
e952811d958602c72523eb090e555995a701535dbfc57cec1c0bce8aa4afcdcf

SHA512
52b1c1d19361fc0fd6c89652ece3c036f2d7626d52a945cee78035b36e13cb99dc1c8f0167fcfce0d6d96444d822acfe0c3b10b13f764c1329b9742865c9e626

Download Submit
C:\Windows\SysWOW64\Jkgfgl32.exe

Filesize
378KB

MD5
1931df5ce997925702faaf269a107ace

SHA1
ee4000b809e6858b5b2f5abcdb44e82e1860ede1

SHA256
b9f92849bc70943411a1d76db6e9b5a451b1e35851fc618122ea96cbc715729b

SHA512
0fd2007d21f59a800eff10efc5b6e98fc800b69c3d33879c846b2dfbbc1a53e0250874a3b3d85e314da223d7e2c9d952403b55e8041e86c0fdbc8403166a8e50

Download Submit
C:\Windows\SysWOW64\Jkjbml32.exe

Filesize
378KB

MD5
c61fcde25de77b6ad3d5c9c69f55e965

SHA1
0d3c1a0833041f4561cb5865b54b9a84e28c3d18

SHA256
0905513a82b2c5510cf51cacf122650bcbbd57237db4056a9bc1c51ca14c85ed

SHA512
157393877bbfafd30f7132e1b2e4665ec7c50558de2adae5362502911c4b7b0d89985f3098ea9e594581f710a913976fb7976dde2e677c242e602fd3ae198f9f

Download Submit
C:\Windows\SysWOW64\Jnfbcg32.exe

Filesize
378KB

MD5
3ab432b34e91864fbd193086db868ddf

SHA1
d91aa7454a67f970cc30cac88c0bac9d0219108b

SHA256
2b808016985a2de37d4f7978a14191750d3a67d5a4701084e28a53772a509e15

SHA512
0009f7983262a26d6573c7b5aa6eaf65ac830455e36cafdb1aa33b21339984b42f7ea0eac1fff0f243a947b0cfb8fb50f735371deb83e7103da8e4d0286e6f4a

Download Submit
C:\Windows\SysWOW64\Joaebkni.exe

Filesize
378KB

MD5
b3267db00bff17d595c19b7c718107f2

SHA1
e9d0d716fe8330417058617b16a3b752d252f70e

SHA256
943ea1c90c2210e23d2513ce111c00e6b14784830a3ff9b6efedbfb3497f18bc

SHA512
f5ceb905fdd84463372d20ad78af0e8854abcef78573699a492b4907d9521381e6a55ef3a4da4488de16b2796c7f8efa0b7372f296183aa423cea3f5a3f8a0df

Download Submit
C:\Windows\SysWOW64\Kakdpb32.exe

Filesize
378KB

MD5
e8fef9ff71b7609ec7f61a57d53caeb4

SHA1
2ef297b5134c6aaedc7152a65ce96559790f6512

SHA256
8f750fa3146c69680e996eabcf66e3ba580e8270f76a16af7cde289f306d698e

SHA512
3c199959451719ead6d3e0d8e7a9643dff3290881d9d3b6084390e611f52054770364f833731dd9322b2acbd1ebcd7370efe5ac30325c9f1212a013e149db4d7

Download Submit
C:\Windows\SysWOW64\Kbmahjbk.exe

Filesize
378KB

MD5
dc706ed9f4dbe12852a6fbc81cbde57a

SHA1
5391a4545bccec5107db9c9467ddcaeb372ec88e

SHA256
243629d936d80928ff10d585ebf70d3c2afc280da506373c33763f5122eaf870

SHA512
1e57ffc1644bf26becc3855080dcfa8ca60acd0f698431b8ffda4d5562c2f40a1640d67817342a7335203ece1d54648ad85a9ed01677e5572834e73e804d530b

Download Submit
C:\Windows\SysWOW64\Kbonmjph.exe

Filesize
378KB

MD5
2a69ed37c981d79188f68e5e4057e951

SHA1
5db29599971c612fd7514617527d38b67e4ad09c

SHA256
8fc3f1affdce1afd5e384acc25ccd7792d2e6353da76f75ce496cf43d28a2dab

SHA512
523ff53b3b8d75e5410e67b3958fe7bf057a357956d9108f37ef4e705035a908c2d7aa21a7ffecd5360198fb3de3daadfd30b64a4cc9951d600f53ff4e69c70d

Download Submit
C:\Windows\SysWOW64\Kceganoe.exe

Filesize
378KB

MD5
5609e3909722e893caa8a2b051cf9145

SHA1
dac15e199d0364cf4abac6d37ccf60b30a42c270

SHA256
c293e4ce707bef436bebf4cb1034d13179e4ad73ce137c112369e2360500a6b4

SHA512
e36492c579a52adcad6d4c275e9c6661794e91a01dfdb640a86e2c3a91b60fdf19ef821b8eff735b3d20d4b91dce139b9365e9f78e8f88c4053ecf335c315de4

Download Submit
C:\Windows\SysWOW64\Kcgdgnmc.exe

Filesize
378KB

MD5
ed6e11bdcf78fa19d4ed73c37909e71e

SHA1
ee9aab83ed77588d2bbbdd68ec499f465e83d5d8

SHA256
c2fec7813c5dd107d49e09d5cf23fb3ec64a1900e00be7d80ecc07488e024893

SHA512
367bc491201530e7431d27269b0d2dd4f2e71299d33092cae1b8d99fdae18ecd6dbf12cd347a0c81ef73883778466e0d79377e8df317aa7ad6e68dc3fa42e799

Download Submit
C:\Windows\SysWOW64\Kjalch32.exe

Filesize
378KB

MD5
d3f117441402a9a59776772b4c19fd58

SHA1
760f8ed89687cd415d8e6148c6cbb63a0c9622c2

SHA256
a02a78a224a51e67ff941dfef1ed0ed822f7b80993ab188ab53d30a415e1c797

SHA512
11a75a2e842910804c3ab05faaa982a796fefbd1c43b1b6c9feff80fecf8aff6675df9410e69ac02c1535c614e59e43b27fb91874b243dbbe610cb1dde21d58d

Download Submit
C:\Windows\SysWOW64\Kjdiigbm.exe

Filesize
378KB

MD5
b53df293d37d375b4994f3d0a2dae01b

SHA1
0fd2f1bffe072550580612c72a85e7dec6e2776f

SHA256
e0294e0ed7b16c1b6eda7c4463d1cc69a7195c5c0c83ead79b427aa2c9ca97d8

SHA512
6148ee83291a2ca3c4438bda8c863e5cd793b1e972ca6940f2da962b1a215196896ffa0fef0c93350508ec6c5387e41312b2e2dd76dcc832ca334ab356cd8152

Download Submit
C:\Windows\SysWOW64\Kjopnh32.exe

Filesize
378KB

MD5
4def359df1081e21c95850ecfd80a624

SHA1
b71784dc574a61ec425e8fff5161787bce44c7e9

SHA256
0fd8f329495639c842ff245e9ba72aac98ad32a2eb5d928c0838dea8688e6cf2

SHA512
76fe00d8b3ed7b59c734b1c1e30f98f42c6c13da9a15a921062e9bd863cbc0714819633bf0b53baaf436937a873eaeac849a26972dafdb0fe1d95df13209d3ab

Download Submit
C:\Windows\SysWOW64\Kkaick32.dll

Filesize
7KB

MD5
246b565144ae734fb396d411fd3453c1

SHA1
f1a7b541347df9dd757ac028a9fe3f04186a4f49

SHA256
18fe38809d50d3beed4f73f5e1aa819f8e8dfe8bfaaec60d80cf4dd471bc4455

SHA512
10d3fa4322dad91a6ae465b4475af7264cb65ae6356c246b3ea963e1511280c260f6ab540f0dc5965d1e14bb1cd436a9875fadb0d3f9bbf7ad77286e47a02585

Download Submit
C:\Windows\SysWOW64\Klgbfo32.exe

Filesize
378KB

MD5
72420a7bc854629b9801ec8ebe2a5be0

SHA1
e7b1ed44c37a2adc160fc229ef72b39c8ee74f6b

SHA256
45ad967f4e20edeed6ad68908ba35d4bdd3ec0aff82ec2bd978c54c060fca009

SHA512
145c3034e22594b0dd97710eedd105f8756abcb98102ea5496e44427e9fb26553557a9e0192ef6592fe7f3690de088d5e70ea15811b7dee6175d327c1eaac490

Download Submit
C:\Windows\SysWOW64\Kmbeecaq.exe

Filesize
378KB

MD5
93cd4679995aca8edf5f10a8b4b154ae

SHA1
4f2aa89c668d3047379d1f346f96b3d0ed28f0a4

SHA256
2fc51e20911e3e4b4c8d78569c39c719180f04e769ebc07e72da90e1ef694a82

SHA512
a0e650b1d61595da3e2a783f4dc2676a0c93960a7f05693c94f3986cdb522230ecf2e139e8bc6a212a352dafa3822c0e2a4a59e28c12cbba1750a5279f2b27e2

Download Submit
C:\Windows\SysWOW64\Kmdbkbpn.exe

Filesize
378KB

MD5
60bf5d75a0976e8e9d629d9d3acdf463

SHA1
da4f0fbd55b6d143d9ae48e8b16b648c8d184bb0

SHA256
18b40322fcc768475e0377a4fe55e2597d089051c256df0dc3b7d4b58cc1a4d0

SHA512
36b2bab86fe1655b12cb0dad68cab566e865db9dd6aca32af6a7d5e467763b21094e45090dfefc4a72d7bce8af90d4941a147760f4c37b6659ed879a3b58cd5b

Download Submit
C:\Windows\SysWOW64\Kmnljc32.exe

Filesize
378KB

MD5
a39cc12839909f7f34b9965b45ec935a

SHA1
d432ccb6d59b866fb31098c085cff1d93b676bac

SHA256
5e31b695c39f23e8c559850c2ffda7d416f186df349f13428990718549a9c047

SHA512
b2eb70a53ceb10a097a7eb0955cb050b3ea4e0b1ccdfd81c010a3a83d5ae8025df9d02fd4dea4471736c4ca8f6f9bcd78d6b53d53da22089539523d567756c9c

Download Submit
C:\Windows\SysWOW64\Knhoig32.exe

Filesize
378KB

MD5
236ea345da62cacf1f0d3784acd7952e

SHA1
5b5808e6cbeeedeba98cac433632be8e9ecd7d7e

SHA256
0896de731ab1396867e485b4e83a7d5cfeb095b6ba60a6e2dbbf78f517edd6ad

SHA512
12e2e2e6d3dac743a3ea1ad61aaff1bdff4cb18729d19811d03200da25c263e17ec5d43b81a9b81b2ab80241e4e21b8fd2889d820a82ed0118eb794897edda44

Download Submit
C:\Windows\SysWOW64\Kofnbk32.exe

Filesize
378KB

MD5
eccfa0407221283e330391d3e995ff2c

SHA1
406d5ec61220f9e5fade1c80fdc77cc1592804e7

SHA256
1d6f7b2af37bcf245324c5803e14a80216ebefe408d34f2b688dfd21b0e56d8a

SHA512
ca7ae4f7cd0706dc73aa77ea9f6179728309cfde53926f286775bb8bbaded92098fece93284453955fc163cef0b46988bac4a5ab50e2d1aaf13af4819735279f

Download Submit
C:\Windows\SysWOW64\Kpqaanqd.exe

Filesize
378KB

MD5
0e5b6c3f75a9e3d791fb9dc560d1b091

SHA1
87b66e6bccfbb20a56f1f38ac725ccec73eb74bf

SHA256
60791680264ceeba860f8052999d8e5a0f42aeb00302593e5edf555936e0bebb

SHA512
2a0b265181aa049a5e2c31e6b1f53147d40570a59676f04e7d6aa910f89c06eedaf616484ce8d3588371161a5a79076dcb8337bcbf244094c1c9291731d343ef

Download Submit
C:\Windows\SysWOW64\Lakqoe32.exe

Filesize
378KB

MD5
ad6ccd1449b3d380ba37206aaa84bf4b

SHA1
c9587d367d1088bca86441c5a23f65c062003477

SHA256
4473184598340e5597105f85c793664bdba7c34f68b25d442f0c865df644d0aa

SHA512
c521ac312250c3c1415ffdc4953471f1cb0fb4e7a7adbf43b0f1deedb58639f3f86b2e47f3526dae9406222b5d88f3f7e53d655a221098e103a0187b1d022809

Download Submit
C:\Windows\SysWOW64\Lbfdnijp.exe

Filesize
378KB

MD5
aa210546833f9883632d9d69438cb561

SHA1
43b072740d88020ccbe9069312d8989dbb94e89f

SHA256
d3a1a73bd2180935644a73c451f78abb980fdd9d52fffccc794986c9c9cf9ba3

SHA512
c5b5cb71ee92926e6176de7612cb57d1b9ebe63cf2589271e9e517dbf5a8388b4960fff2038708f667c7d9e822492f49c09b643434f569d1850ff271562e61a4

Download Submit
C:\Windows\SysWOW64\Lebcdd32.exe

Filesize
378KB

MD5
2ccb26d674f1f96c408d74e519c55248

SHA1
ae45037dbaaefff3d8e015756c3beb44ed9ceb3e

SHA256
50e87676ac6d6b4dedffe579e576a4a6a0eeab3dd7a366c04199f8a76ac73892

SHA512
94467f250284393a51dc0504786ab7a1a8e9177b9e9fdc4d718689690f298a7821a93dcb7e9e72e5c42c6c4b7a86777d483f63319572c83836439fbab8151596

Download Submit
C:\Windows\SysWOW64\Ledpjdid.exe

Filesize
378KB

MD5
ef1d6b50d893689a799a00341929c9a9

SHA1
49355a4361104d187c3082bf53c477740602ae91

SHA256
485ef35308079b6d44980e32e0baef124ed87229a5f18cbfce2d1d00d0cc2970

SHA512
78cff2d2bae99089993d1c648da49373c065173b91625d14f3a1969814348a57681bf42b5654617e15a127d25040d87880b6ad968b39595dbdc7cb9ed418e15f

Download Submit
C:\Windows\SysWOW64\Lepfoe32.exe

Filesize
378KB

MD5
36de23a1cd2c6787038d1a1c01e3a9b3

SHA1
2a41bf21228d9ff2281fbfb6722ddf1bef154724

SHA256
be4aff4ff4a5909cc353a7150e898f0ada0daa19dd9a3268fff8424a60a60650

SHA512
bc4a174e59e549125febb3f1bb2757928fe364419b43add8bf0a069475b72893e1ac99009c4398be90a506905578bdd9becfe7eef4512d1630619780607640f4

Download Submit
C:\Windows\SysWOW64\Lhgeao32.exe

Filesize
378KB

MD5
bbcea45b05d741a83103a633a577e005

SHA1
2b175b049c72597cb7f1bfa61c7629d198b3959f

SHA256
ce96ce794da43c496cd2f9b29bc653417e27427e07a01962c412ae61f114d707

SHA512
e30dff59b5bb4bb523b9748d15c4231010a284f74b42c7b9882f0f76a557610e6c743085790136cc4d61677c72c5b3c0be01fb3f1a156e04008f9c20c2f7620d

Download Submit
C:\Windows\SysWOW64\Lhnckp32.exe

Filesize
378KB

MD5
d4adc95905b95afd2e25b11bc1f6d590

SHA1
33fa6ec227b4cb9ad8f9e90bde4f0f3ce4a664ed

SHA256
83f1dc27caa325054e5193b33523f380b48869bf52f38bbdbbac5506d145d5c1

SHA512
c2b3ae9ff13f7b2e0633dfd5514f514e82dd23fc242fa87d8bf4a1318e76b4f12e6f0f9cf937280d94a5f6a8f7256bb082fdbd9aebdac36672067dc3569665f5

Download Submit
C:\Windows\SysWOW64\Lhqpqp32.exe

Filesize
378KB

MD5
3ceaf36a4304ef709e5281c531172eed

SHA1
c0f1545543910b0f0a552517745f5293afc1e2bc

SHA256
6444b3ca220dd0d15a0ccacc0acc30086a010db399ea8a771966b3972cab2004

SHA512
b42123cab7af25018f024891906c1a85168a071ec83dded639e6f86f8b32e0fa1ec75f57f851a662eb5d69502c21e3972c9fe9585a6f37a9b6b3fc9ca9f61dbd

Download Submit
C:\Windows\SysWOW64\Liibigjq.exe

Filesize
378KB

MD5
8aa7103889059f2b0511c2ad68fd565f

SHA1
e4097fa0bf2588a80719cbb8b7977a6bb2354aa9

SHA256
e4589244ffd0d4311bf558d5dfd4c1dad38ef9878f520e6f8a92c14fee6f2ff2

SHA512
f03edc130635fef33796825bc25d77e0eaefc11fbd84daeb3f30456ddb1e3530f3db64e8070803d4f15619e746ca556d9e260e45fcdac6871d7f03a2bf947153

Download Submit
C:\Windows\SysWOW64\Lkahbkgk.exe

Filesize
378KB

MD5
4a8db088734861bb2d60dbc1ff4cfb8f

SHA1
6434ea702774087d47e88a6cde63fa9fb9688441

SHA256
ffa97be4350b0af67ed6e1076c0bf1c61b18f582fd25bebb6a57a6108d3fcb74

SHA512
be8cf6e1163f480078e468adca3860d58d3e345063a81682a95a0cb6d36b82371fda47ec417591a1c202a182859252cfe362b3a227910288ad8265dde7d6d581

Download Submit
C:\Windows\SysWOW64\Lkolmk32.exe

Filesize
378KB

MD5
301a416935ec5e088996e0ff0744bcde

SHA1
ef271c2ac1bee33481f88653965293e790a0deb3

SHA256
e66b77a39677ba088ae785f74974503ffa8fa43d2e2b839f1a1866ed92068015

SHA512
c2792dcacc4cd01a67f40a9517e559383f4929d38f0d157e30cfacb1fb5133d77ed1e3a89d4a8f330b9fba39099be75a7985210127158fff7e9bd2b4054319d4

Download Submit
C:\Windows\SysWOW64\Llnhgn32.exe

Filesize
378KB

MD5
5f5292fd7646b9dd32bb17540dcd8636

SHA1
0594ce194d69526975e2de560d6eac70adcc26b4

SHA256
541a3a451218191972dd05b2520634686ae76310c06f2b77d2ef6d7c993008e3

SHA512
65afa5d2bf138036e9e1eff46242ed3ac1ef248115e54576500a1f03ac9e74512105e536bb748ab184a9b31d3c3c2621bcf1d811e5823f4b2dd49087b42262f0

Download Submit
C:\Windows\SysWOW64\Lohkhjcj.exe

Filesize
378KB

MD5
642c9a3959374f88b24005ef85878cb5

SHA1
09e8c922ff8dfbdffe38914c4d847a18a62110df

SHA256
0fc55cb5bbf3912cd349ced5d7880c8f20e87bc5c64c05b849d1483f478eec82

SHA512
cd5f1ac7a82f5ae625d10b0792faa32063df12cf798f4adac9d4094857223ca44d7bb3a7805c26839f47bc00a2573c074492f61bc1b0c372acb6647cc870de3e

Download Submit
C:\Windows\SysWOW64\Looahi32.exe

Filesize
378KB

MD5
24339adb069e9a2ab41666bec20cb229

SHA1
179a4210cceb628f69a9a1d2e3432bc524bc5b26

SHA256
5fe41092e81d3ef102643313af9356898a4ddd47796afb5f8d40ed4da1c4b70c

SHA512
4a844ae28f693494f24b01f4382d18c3c14115605fd0d7ce93789067b213a895e10626b8c02222c35bce0f660b8275eaaa287a6df1e041c63a8e4902eeafa91f

Download Submit
C:\Windows\SysWOW64\Mapjjdjb.exe

Filesize
378KB

MD5
889bf69fd3be502944adf71e4ccb4481

SHA1
2265b95f73f37db9c489639a000433dea57bc30c

SHA256
cc13831c53aa26a8221dfaa69e5c494c43b9408426e033a31eb569f715b06967

SHA512
d29e4f822f43f09e31c699f2c6da080877910dd57d3f97a4001795a85be1ef5305e6ccdfb5662e548516c3fe1b92cbab47461c2dfd3ec987db3b69ade678e91e

Download Submit
C:\Windows\SysWOW64\Mdnffpif.exe

Filesize
378KB

MD5
a6c6380b0d4d89dfb76c6a1615bdfe35

SHA1
8a8d1104443dcf8b2be2f1f85881168b19518248

SHA256
780fa3ce30dfa6f7e48481ebda88f641ba22a952eae3089e627d63c2bdf2bd48

SHA512
da5d032cc81fa3c0ed48c351563ae9bef2efb871583a6083a682b68dcb00859ae0d303b82be02052b4ccca4c04e371dd341fdf7180c2fd39857923ccb7be6121

Download Submit
C:\Windows\SysWOW64\Mgoohk32.exe

Filesize
378KB

MD5
71c21825a44c9a85a95ae12c8b2cc23c

SHA1
b5703385d9b187b20c282db0cb74879c60a1d829

SHA256
3ccb5e4013f8a77f2a27d9e2f00da674c8f7409bcbf84518e21202213b47fe03

SHA512
d681cdd693969eacc79e239676d847d7c4e1a19fae4e116243387c313dba871a0a034003789f977a499e53432fc6bcf15a123655f2e7a056c3845870bfbf2135

Download Submit
C:\Windows\SysWOW64\Mikooghn.exe

Filesize
378KB

MD5
4c20090642d235fea7f80a1dae7d8f0f

SHA1
ea5a7d8c15d437ae5c5639efc676174a3c0705b2

SHA256
6d4af2d9325e0f329b51282a6a5af6752535a07ddd453b738a5f6d6073158acc

SHA512
46027b84163834c5163151d6dd582d4881253dee12d1482b5d2f114d20385cd1d092ee252c280bfa1dae506a11c2ec4f69726fa2528486df5aed8163a34c5124

Download Submit
C:\Windows\SysWOW64\Minldf32.exe

Filesize
378KB

MD5
4853ae7035f6d43a29d0e1a4eb35c4a4

SHA1
76cde178415da15f9b8e6af56f725e0821c0ca65

SHA256
e39c50a8af6d7a0d64d9416ea21405765b11ac33c90b776d185324f8ed2f7a9c

SHA512
f8ea41e09b3da7ac7c6151a940dc8124a40e2657c422b9891fe04ad0a9a625082c9a1dc61e74922c0ebf9e7d729e48909c37561f138fa36fc802cda999bd150e

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
378KB

MD5
6d187e6c1f7de70a2ea3209ae85f84b1

SHA1
8e524173daf0c927016eddaec31b54c5d39bb234

SHA256
bee36d621a6efe10f3d5aa40e9bcc9edff1546563dade13a26f98a210dba6e30

SHA512
383f234d60f417a7ec0be22f043e429b595de91d0f5709f8a6f81352c66595d0bf72401641e5459a824107fbe0ee4db8fee062c3b3e6a09183b7df01e3277a15

Download Submit
C:\Windows\SysWOW64\Mlikkbga.exe

Filesize
378KB

MD5
d9fc13d93f1b18623ffffdbab342ebe0

SHA1
069110d9f503f94396af722d3aaa3018fe175184

SHA256
d97da17ebb6ae2211f89a703ea06e5d2aa76af07a85c03f46b22d9caf964ed89

SHA512
e6aa0f06ea611521efdb61823a3001090f445028e8904e3cf05e554310e97a618d8a33b6d1ddc61c9bd0954611a142636834f0c9e3c12df018cff6041d31bf53

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
378KB

MD5
a03d7dfaaee8292ed1d0724816607b0c

SHA1
5fba5735dce9e2180f6b251fd1ca89a58439986d

SHA256
380a17f3e1a1b8e5c1d4dcd721649490b4b69b60ba4a855d6edea8aed727ceaf

SHA512
a7313f3dda6994a3fa706f350b042ee71e90632f58667c583975681f5fe24c158138099a49376f8750743dad130d26e8054eaf81ebaea4964436c02c842c2a30

Download Submit
\Windows\SysWOW64\Jiiikq32.exe

Filesize
378KB

MD5
6f6fcd208d24b2cf5704964a0f539bb3

SHA1
e4ce84c22161e82077116a45d790959c64ee7504

SHA256
eef98cbb6eb0e0a9098ae0293281d5c7cb23e910eef4fc8e0a5f909ca61c0e46

SHA512
f81680e2bf2f6b0d016ca8369d4549f18c59e6545b74a35d0afad53cd3a750d38e823b04a901017a7ef7a2ba2fadb5ec92b7276eb2fff359ae103fbccb4be7ef

Download Submit
memory/276-304-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/276-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/276-305-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/788-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/936-423-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/936-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-469-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1032-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-116-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1124-412-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1124-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-411-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1136-204-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1136-202-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1200-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1220-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1220-468-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1228-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-134-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1480-271-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/1480-272-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/1480-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-454-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1504-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-455-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1740-376-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1740-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-389-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/1844-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-283-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1844-282-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1872-294-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1872-293-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1872-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1880-247-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1880-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1880-251-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2040-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-147-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2056-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-400-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2060-194-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2060-189-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2088-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-336-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2092-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-315-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2132-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2132-367-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2132-369-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2140-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-161-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2400-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-326-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2400-325-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2428-107-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2428-457-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2428-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-225-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2468-229-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2484-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-433-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2524-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-17-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2620-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-89-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2652-347-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2652-343-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2652-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-34-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2696-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-240-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2768-236-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2768-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2828-62-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2864-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-53-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2896-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-357-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2896-358-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2932-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-175-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2932-170-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2976-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-215-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2996-257-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2996-261-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download