4cfafb9f2cb81deadad8d4e3fc2d0e2b3b94710c5c097681eab7c1513bdc3398

Analysis

max time kernel
108s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd98ac9b2506c3943b338474220f140N.exe
Size

89KB
MD5

0dd98ac9b2506c3943b338474220f140
SHA1

c08e73702e5fb3c235822832f690f684a882aeac
SHA256

4cfafb9f2cb81deadad8d4e3fc2d0e2b3b94710c5c097681eab7c1513bdc3398
SHA512

2dd956068e8492ec3ebb3a5b14f09bdc5492a463a34e82c3bdcdc62c9e5539b557f083a8b557773b32fd62f11e3c2eb5abc4a0cfc88cf4e78437625963da233c
SSDEEP

1536:QKM5Q4jCCQAGr9L5d2VAL6K2cV6A5XxSyxTTwcABlExkg8F:a5QpCQAs9LaVAGKVoAnZMcOlakgw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe

Executes dropped EXE 64 IoCs

pid	Process
1856	Lpqiemge.exe
4816	Lfkaag32.exe
4812	Llgjjnlj.exe
5004	Lbabgh32.exe
2612	Lepncd32.exe
2920	Lmgfda32.exe
2372	Ldanqkki.exe
4932	Lebkhc32.exe
320	Lllcen32.exe
5048	Mdckfk32.exe
1228	Mgagbf32.exe
2444	Mlopkm32.exe
3108	Mgddhf32.exe
1000	Mmnldp32.exe
4360	Mplhql32.exe
4728	Mckemg32.exe
1352	Miemjaci.exe
4632	Mlcifmbl.exe
1128	Mgimcebb.exe
2604	Migjoaaf.exe
2044	Mlefklpj.exe
5068	Mdmnlj32.exe
964	Mcpnhfhf.exe
1828	Mlhbal32.exe
3124	Ncbknfed.exe
3572	Nepgjaeg.exe
3516	Nljofl32.exe
1988	Ndaggimg.exe
1444	Ngpccdlj.exe
4068	Nnjlpo32.exe
1076	Ndcdmikd.exe
3700	Neeqea32.exe
716	Nnlhfn32.exe
1672	Ndfqbhia.exe
3176	Ngdmod32.exe
3920	Njciko32.exe
2508	Nnneknob.exe
3152	Ndhmhh32.exe
1956	Nggjdc32.exe
1728	Njefqo32.exe
1784	Oponmilc.exe
4692	Odkjng32.exe
3564	Ogifjcdp.exe
3636	Oncofm32.exe
844	Opakbi32.exe
1108	Ogkcpbam.exe
3560	Ofnckp32.exe
1904	Oneklm32.exe
1508	Odocigqg.exe
4400	Ognpebpj.exe
1960	Ojllan32.exe
1824	Olkhmi32.exe
1116	Ocdqjceo.exe
640	Ofcmfodb.exe
4228	Olmeci32.exe
572	Ocgmpccl.exe
3752	Pnlaml32.exe
2512	Pqknig32.exe
4112	Pcijeb32.exe
4392	Pfhfan32.exe
4840	Pnonbk32.exe
4424	Pqmjog32.exe
4340	Pfjcgn32.exe
4296	Pnakhkol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6764	6524	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 1856	4408	0dd98ac9b2506c3943b338474220f140N.exe	84
PID 4408 wrote to memory of 1856	4408	0dd98ac9b2506c3943b338474220f140N.exe	84
PID 4408 wrote to memory of 1856	4408	0dd98ac9b2506c3943b338474220f140N.exe	84
PID 1856 wrote to memory of 4816	1856	Lpqiemge.exe	85
PID 1856 wrote to memory of 4816	1856	Lpqiemge.exe	85
PID 1856 wrote to memory of 4816	1856	Lpqiemge.exe	85
PID 4816 wrote to memory of 4812	4816	Lfkaag32.exe	86
PID 4816 wrote to memory of 4812	4816	Lfkaag32.exe	86
PID 4816 wrote to memory of 4812	4816	Lfkaag32.exe	86
PID 4812 wrote to memory of 5004	4812	Llgjjnlj.exe	87
PID 4812 wrote to memory of 5004	4812	Llgjjnlj.exe	87
PID 4812 wrote to memory of 5004	4812	Llgjjnlj.exe	87
PID 5004 wrote to memory of 2612	5004	Lbabgh32.exe	88
PID 5004 wrote to memory of 2612	5004	Lbabgh32.exe	88
PID 5004 wrote to memory of 2612	5004	Lbabgh32.exe	88
PID 2612 wrote to memory of 2920	2612	Lepncd32.exe	90
PID 2612 wrote to memory of 2920	2612	Lepncd32.exe	90
PID 2612 wrote to memory of 2920	2612	Lepncd32.exe	90
PID 2920 wrote to memory of 2372	2920	Lmgfda32.exe	91
PID 2920 wrote to memory of 2372	2920	Lmgfda32.exe	91
PID 2920 wrote to memory of 2372	2920	Lmgfda32.exe	91
PID 2372 wrote to memory of 4932	2372	Ldanqkki.exe	92
PID 2372 wrote to memory of 4932	2372	Ldanqkki.exe	92
PID 2372 wrote to memory of 4932	2372	Ldanqkki.exe	92
PID 4932 wrote to memory of 320	4932	Lebkhc32.exe	93
PID 4932 wrote to memory of 320	4932	Lebkhc32.exe	93
PID 4932 wrote to memory of 320	4932	Lebkhc32.exe	93
PID 320 wrote to memory of 5048	320	Lllcen32.exe	95
PID 320 wrote to memory of 5048	320	Lllcen32.exe	95
PID 320 wrote to memory of 5048	320	Lllcen32.exe	95
PID 5048 wrote to memory of 1228	5048	Mdckfk32.exe	96
PID 5048 wrote to memory of 1228	5048	Mdckfk32.exe	96
PID 5048 wrote to memory of 1228	5048	Mdckfk32.exe	96
PID 1228 wrote to memory of 2444	1228	Mgagbf32.exe	97
PID 1228 wrote to memory of 2444	1228	Mgagbf32.exe	97
PID 1228 wrote to memory of 2444	1228	Mgagbf32.exe	97
PID 2444 wrote to memory of 3108	2444	Mlopkm32.exe	98
PID 2444 wrote to memory of 3108	2444	Mlopkm32.exe	98
PID 2444 wrote to memory of 3108	2444	Mlopkm32.exe	98
PID 3108 wrote to memory of 1000	3108	Mgddhf32.exe	99
PID 3108 wrote to memory of 1000	3108	Mgddhf32.exe	99
PID 3108 wrote to memory of 1000	3108	Mgddhf32.exe	99
PID 1000 wrote to memory of 4360	1000	Mmnldp32.exe	100
PID 1000 wrote to memory of 4360	1000	Mmnldp32.exe	100
PID 1000 wrote to memory of 4360	1000	Mmnldp32.exe	100
PID 4360 wrote to memory of 4728	4360	Mplhql32.exe	101
PID 4360 wrote to memory of 4728	4360	Mplhql32.exe	101
PID 4360 wrote to memory of 4728	4360	Mplhql32.exe	101
PID 4728 wrote to memory of 1352	4728	Mckemg32.exe	102
PID 4728 wrote to memory of 1352	4728	Mckemg32.exe	102
PID 4728 wrote to memory of 1352	4728	Mckemg32.exe	102
PID 1352 wrote to memory of 4632	1352	Miemjaci.exe	104
PID 1352 wrote to memory of 4632	1352	Miemjaci.exe	104
PID 1352 wrote to memory of 4632	1352	Miemjaci.exe	104
PID 4632 wrote to memory of 1128	4632	Mlcifmbl.exe	105
PID 4632 wrote to memory of 1128	4632	Mlcifmbl.exe	105
PID 4632 wrote to memory of 1128	4632	Mlcifmbl.exe	105
PID 1128 wrote to memory of 2604	1128	Mgimcebb.exe	106
PID 1128 wrote to memory of 2604	1128	Mgimcebb.exe	106
PID 1128 wrote to memory of 2604	1128	Mgimcebb.exe	106
PID 2604 wrote to memory of 2044	2604	Migjoaaf.exe	107
PID 2604 wrote to memory of 2044	2604	Migjoaaf.exe	107
PID 2604 wrote to memory of 2044	2604	Migjoaaf.exe	107
PID 2044 wrote to memory of 5068	2044	Mlefklpj.exe	108

C:\Users\Admin\AppData\Local\Temp\0dd98ac9b2506c3943b338474220f140N.exe
"C:\Users\Admin\AppData\Local\Temp\0dd98ac9b2506c3943b338474220f140N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\Lpqiemge.exe
  C:\Windows\system32\Lpqiemge.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\Llgjjnlj.exe
      C:\Windows\system32\Llgjjnlj.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        24⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        41⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        44⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        48⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        59⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        63⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        65⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3764
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        71⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        73⤵
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        74⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        79⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        80⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        81⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        82⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        84⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        87⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        88⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        98⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4624
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        101⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        107⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        111⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        112⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        113⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        114⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        115⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        120⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        121⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        125⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        127⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        135⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6408
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        140⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        150⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6932
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        152⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        160⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        163⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        164⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        165⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        166⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:7056
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        170⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        174⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 416
        175⤵
        Program crash
        
        PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6524 -ip 6524
1⤵
PID:6704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
89KB

MD5
5b7547d6311be613acddcf24669d7189

SHA1
884f4fb307d5b972515487c041d1f81c9c3acaaa

SHA256
aeb2e44c1635acca082d5dafe28278711ded0d90767c2204486eab91aad8b6f7

SHA512
6fc26b67e45a46c5467694781a282b812436e2d1b378fc04ffe78f13a3df5f51bd69e17f87edbce5477f2ab12e22967f090047848f7973845650ba86db30e6cb

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
89KB

MD5
b95449f5e0f6f0ecba38b5a7a54c4b45

SHA1
c61333febace71455c4814bae8b91053321979d4

SHA256
8759ce987da028db288906136d2384323693616b8aa0a625399ea475b0b5510e

SHA512
4626dc7f2cc7a32301b789eaba1af9308632f3068bcd754c1f68c346ccb88b3adaa6612196ec44fb4ed07dc8b74d09d7b701e801e6929f3ef03fd7245d61fea9

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
89KB

MD5
1c9863bb229212256897f8de688b0883

SHA1
0eaac05cda9a75f24afd69e988d0939f3942fdef

SHA256
8f360725898819780e0d680e71b1a0c10d77a307a7389432478c156579cdc9ad

SHA512
e21b20e5f655b9020f51c6352b576571ea5acdaea35f388ce3985277dfc672118ffa5b8999efadb6f2ed588be8589bc5d6441a90f4d7f02d73bff2cf63eddb56

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
89KB

MD5
bab46b4d5cae4f10fa7f661605494f88

SHA1
429d77bd7fc3146e7b1f4582edb945654ed0a208

SHA256
e4bb3501d82532c9c1f396bec13c095115528b1c33e75fe19bb51df65557fb85

SHA512
0357d1901db24c075713a0ec753423ee7940c94037635046fa429be2caa698a0675d532f6c451cf31c7c9fcb0e2d3fe0e4b955103e32a766f578159c32ff91e9

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
89KB

MD5
9b033cc24c487951eaddce18bf4d69d6

SHA1
09642d14c4cb67c0a789684092e066f0b654184c

SHA256
408b202ff75697be0a00ab55597141a84530edfaf4f5b24c2506fc62a6d63f07

SHA512
052a7d6cbe95a210ccaae4e410c69d2798f6f6e60651e84cd9c7051595c84278aeaa6b2a07a9511cd499af4d6c1475ec9dfd8ae4e5dcd90578104614e1420bd8

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
89KB

MD5
714cadd6e698b944bd3630f945984286

SHA1
97234678930e59e7c76806e0241783e52d94e9e5

SHA256
f8017be698735ffe7d414e3d095e6a39898f5c35bc74ed2b742c34d70c0453e3

SHA512
1a2a19a22ea2f2e9a19bdbff0bf5c0da556df24886acae0f03a4e573bc5e41e8d339254d019955e93045aac02da56f56101b7e962beed9a945d0b93f45d27ac0

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
89KB

MD5
144468c01d1d2b0010d12452fb33b10a

SHA1
271e1c4c79c3a1780f314760d8f9e45bb7048284

SHA256
15190aa67913e630d5218f81b845aca41b649eda3f03015269006646feeac7b8

SHA512
e19eab287b70ed3cc9e576a28ef783998160dab3f5411c56a2a52b72771a44073db0be6f42705ed6cd1f7b71e7e21b7c0af3593a33f754a51568ca807dae3a4f

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
cb6613009e1139b29495b71fedab030d

SHA1
9039ad055e821cca5b1da725352acf9420540643

SHA256
146780f39e0cc8dff584d8ed9675ea48df004415649b23c655cd8d3b75b13dc6

SHA512
71a31c97f0390c413c9d63d1ea02474d0d2bf78c8f5df723bc5fe7bb4e5a4e4dbdcccf2cb3da1b7d1b7740282d3549285b6f205780e6d2bdf0355161457aacfe

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
89KB

MD5
2b10beb23cf48ac29b943ca9b313a2e0

SHA1
c26235f23c99d32b31df8b0281165862e947e78b

SHA256
d83dc5d1d9bc3660ff71b272e325d81b12963840b31241cd16769da0bb713fad

SHA512
b7edfa9ca2ea9460824c4b3012674b57c9a284726b70eed167f26b19e7faa08e0c014b5f61e3d056bb50050f740aa9428ca2c4f9d1759a7a7cec8376ecddd001

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
89KB

MD5
5a03e3d0ddb446e30fe252259efea6a7

SHA1
4be540b7e054c13a6ee34d7de83a50d4a3f63272

SHA256
fb55877a3348084ec83d3416b46eb59022e4c6c38e4f08e03b134a72e2f1139e

SHA512
241b1d96cffff671d90ec3735665e33e226012759e9f8baa42b8738ed5ae5f693270ade49e75c3bd309ebec4e00b4743b05bcb1560d9055220a29b4f3f09ec23

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
89KB

MD5
1d9581b83a62152ea70ef1d28f8a51e7

SHA1
cbd2a967f4553fe9fcd7cbdb093609a7604965a8

SHA256
9a57abff081fac33d8b952b4d392e37b6e5a7b2ef2299c48a5950cbb76946572

SHA512
151541e0bc53a2e5c4367451fa03dbf7fd02707374d2038470c93a9defd0cf537f7bd503e67ced216313a476a5ad435474daebdb89d8648ca476e3bec9dacad9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
89KB

MD5
f62138e2c8a2b399de7c031217b9009f

SHA1
f7c54ae8aabaa3a3f1e61b3d56fe857fb7dbb710

SHA256
300edb643b8662e6a2ae41000d0ef3c6f76f1bb632caac79718fa152a78e5ecf

SHA512
f8a2b3fb248b80e1a924b67de09e4840e1b0370fb2fb76fcd62a24870cb3b1e244a3662d888e2d5702ae47755975fdb5b1369be574e841e8c893f730042aab4a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
237315b7b8db3efc7a703073c5ea418c

SHA1
63aba47ae1336838e703dbe6ce71c4f3c932c097

SHA256
bbd526e0ce6137749cc6b82045a3db639d77d07022a9d3edce3299246d107fca

SHA512
a01e7d144d26526e75a7f372d9da813fd68ea4babbfe13941c482bbf9530331b8b6c778816b70c6f0361cfeb847ca2a85b2d4610628b0b6b82c03536fea97428

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
89KB

MD5
a5d2f78d72a4ad96e92adfd7153f56bd

SHA1
898da64a5feb793ddaca0a51cd17ac86ff5d6859

SHA256
101c046178d109a627e3443886c7c9d59cf337074412741a36ff44b3697f0dc4

SHA512
d282c4f12c6bcafafee066f6f40507cfe7594e90b3fcd003ccf5d9435e43de7214d526bf031db7df9e7fae9c9862b33f32a0e941900e3cdefcf81fe49b53e27f

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
77b4afe469ed72b99d8fb6047f55e2fa

SHA1
77f6647ea1a9855a60aab4d2430a285e37e74888

SHA256
2a4c134844743570cd22632c16a65789a46bfb976e142c17335af6fc11363da8

SHA512
b455764dd143ba5ab4c44ec6fb4c9fc9a3714700edde0adc82f06a4c8a7704b59e9db3e052a4739cc1bb48bb0cefa09f832d124c47572abe6bb9a601e6f4a641

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
89KB

MD5
27092b0b0c60bb76e1808f6d47b247f4

SHA1
b0c404fbc19e29af26a1f567fe9607856e41b653

SHA256
f25cef2a26e1926b0351145689e19b58ef919b012ea2f22fccd0ca62d2e7932e

SHA512
12b1a11e7fa040e056f16e0162b22fcc6e6c1de5371574572bcfe2169e4c1f07696e695a3bd51f6b7875e0442f23425bf5d39c6fa6234b4890793964be8eba46

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
89KB

MD5
e9b851ef1a17b2c0c42a50c78257e2af

SHA1
2bcc300cc495c4eae7e2cb82e2af88430314c08c

SHA256
4b0aeb5ae5c71b521ec837f33fbddc2c7e6462fc78aaad4619d1d41aff141530

SHA512
240ea51672174ebf57b6badbcb4a143ffb2ae3fc764817a4512b6e7be102ddaafe9efa359078a904c92373ae2d49d10d4635bbcf19e8ebed20b96d1c328b50cc

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
89KB

MD5
51dcb0c37ea1c4bc87c0f9f6c1bd2d07

SHA1
e30da2c68e3cc10b7ca83eba05eec0f32d55f27e

SHA256
799e37f348d96690fe058982283824e12d11e97855e8cb1a552215ef2e0128f3

SHA512
55b7a64786355175703d3e0131431faa4dba5814c182e1262835bb6b4fc40feaec05693220eb37ed6b263ef2c2e354705d1aaff814bf1b540dcdf1bde9e01fc7

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
89KB

MD5
0f0327a8285913e2ecba864e6bc4b7d7

SHA1
401f4bc67b103d388aa5505112b795b2526d8a6b

SHA256
b77d9b1ef941bff24d9a072981f00d77d45ea4dada75f38bfe1fbf461fed38ec

SHA512
f78564b453aca6e260dad9f669191c40b5405530bfd12f5a0fcaa1d34604dd1e2281c17e7ac7e69222e261f87a1aae4ee8d0b1c657d04db73908d1d5172ea8a0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
89KB

MD5
0cd7eb1e98d41abee00d856c2975cf16

SHA1
61531a290d9e012ce3a5c385115fc95d88b48b1c

SHA256
64926dfaf3029e906ee8c741f85b7558dc0f0bcd5d225d5f04485912fcbe1db1

SHA512
dc5496358b136b11e0e589f3dd08ae1dbc889388f6106b147171277a43aee1d738bbc733b17bd30d6e1207b375bae4d6e10bd502b824751d7e77663131e0096e

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
89KB

MD5
10403034aef8e215f77587bb62897ae9

SHA1
1decff5e5d6d3825cc08065ed68c3a2780241272

SHA256
eaff685a261d2a75451807e6bd1fca3806103a0e1902d060d96964cb5f8399da

SHA512
29d3766afa984e48b040f59c5a6af5a47dbcde973d201cae3b46fbc497585e35e8be30ce60876b4e13ada46fb27acccea51a413f702074cfca93f7d60099c9c9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
9afe1b9bc960d680b91404129eef0f28

SHA1
3d7068ed0695e83d100f74b3d40f8e68edb0f8e7

SHA256
7e044feb395cd07b6bfa6dd2ba3f828a1f24f86f899f76f3c01db5b6dc08b33c

SHA512
fcf825b7c2a80760d13a0d564d5072e30e4dcc8209ac2855d6605bc060f43f9788d47c881daadf2868a89466881a24be919a09d111a33745283f36579e583846

Download Submit
C:\Windows\SysWOW64\Kmmfbg32.dll

Filesize
7KB

MD5
cf212507a77a224100da75d6cc82a2b2

SHA1
de4edd1b42f4421697c74edf20c97ecdaf1eb90a

SHA256
6efcd707f012c5657266effb93b1db275160cfdedbd7e43f5da83596b98dffdb

SHA512
6b6df15ba6588d3f98740094d2eb379d4eefd23f1f12d3b64ac60a6dbdcca4b2d40050ec8b99cdc1befa00d9ed468a5242dc24c61fe791189105986bc519d73a

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
89KB

MD5
94c9586e67df8e9d625ff563020efec6

SHA1
712be78f9676aa8274b94b1e7ca3e530fd7e454e

SHA256
7ec1a005835e9ffbec1c46bd43c971188d041c7b0a17cf4a3286747987f98421

SHA512
0fe7e8d2f3c9aa0bf767a149539da3ca754b68b09c612c85a6ede2f726f2f9a06c36e19aa58136ef7215dca995ad30391076f27645ce3c1684073041f19c18bd

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
89KB

MD5
b34fe588a2706c5a7e9d62e45f6b6b29

SHA1
b4f32a69d004bc3ae720f3211df4b90f6ed3217e

SHA256
a5e6bcf5a4ad6be05c7ce59518f3746953aa535893ce89f41e79f880f1ae12cc

SHA512
01c2e5413a45afba6d2c49a24ffa61b51608ef87c8a972042bbf9d6e608b41c2e1bc9e05f6aa1f75d9e5d598db184aea8c1a5a11d316e292dd003920e1a3a46e

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
89KB

MD5
9655d7c200ffa940ce0aefc0478e369a

SHA1
545268b488d6b3a76a3c26fddb3f20dfc442fe71

SHA256
2b2bbed9b4613767f1af14b9a6839612b9e7ae747674d7d4338944bb9ed3aaaf

SHA512
84d424c60228bac0561df97cb2e06add9fff8d85bbba2d5ac9ad5fb0de98caf98cec5bdff51a01810778e5b2a0f9e72edfeaa2706e550282dcebaa9fbbd10aae

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
89KB

MD5
a3c70b8c7151f526b014ecc61be545c5

SHA1
310abea9dab05664feb83c685b1d152d9e2d3429

SHA256
4e4fee4519365337df29a3a506e755411f3eca1b4b609e5503c3c6fa2424d69b

SHA512
8ecbf0ba10da74c2a2e058db350bbcfc28def89a5bf189ec66aaa3ddc3c2a89da3e8bc70f0f6f6a58a37325d231309b5f828ee89acc45927978c74f909d86d83

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
89KB

MD5
830c1a4e2b666886a2014f33b5def657

SHA1
48cc2f65fc7602facea9a0ef0fd9a62ea7aa8a82

SHA256
e7f01610284e5777a7af714f3b6210df344d9b3e680892f6807a1521da3d3835

SHA512
4622e62bef23c8a259dee04522af000cca2edb44d9a03352c439c7f3a8d7968c6a81ca9758d2199ce45f082f986dd52c9c607fcc05bd86051cdac8a6fe06ffbc

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
89KB

MD5
de8bd6cfeb7b95ec65c8e089e82753cc

SHA1
0d8123297664b2e70aae61c8a15155da7f599b74

SHA256
a98f5134dd3fc35c4338be6da711c321374cc6d7783b722031389d3c02cfa9cd

SHA512
0000ddb8792f1201fcfd18a7856e637b0bf2265339fad03fb415a0b38dc6c615076bd74bcae93d545fbb846cc919ac3fb776ab1962e7ed080319d932664e92c4

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
89KB

MD5
68b01e0cc0f06dbb9747a3418221db50

SHA1
df4f05b990370645c5978c1fa5276e3158ae0072

SHA256
62ab41c63f63f92d5891b691456176b49b7383fc2419d369bd9a585ed774d073

SHA512
13f1d8fdc977528f6466b8948c01b3d50ee915796d3059d673fb61909555e6facf08ec024ff636474759a36f443cb18452e93497e5580e492ed656a41382186d

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
89KB

MD5
7fb168afd679892cc47a14e04489dd54

SHA1
369dfd77a5d53cc12031930502ca8712de533554

SHA256
2d21bca552f7d75a4974f7c135fa0a7d7ef6d894f6a00f0465af19d8b86f102a

SHA512
54d6f491c13e99b5b262f1e1c5e46db450834ae358f091dcb5a286c64c5bb9d16cf5418c6b63697eb08b2bbab78ba93817baf1a5e6c71e5b3e13a490a96ea1e1

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
89KB

MD5
4490c2ef9be3142af542fa51ccf4dd8a

SHA1
1f27f3aef2e17a8562a8057aace0cde6831811d2

SHA256
afef05da45eadbad9c47db37dad5a53e0c31e2b9625ed9f4296f27e6328dae4d

SHA512
3557e31a4ed3f1276321c9e11ab0db23c1146f025499cd9d54df142fb8cc8f95b7d2f7a6eaaa49ff520b6d9cc371a445a8b9c080b62009017ef663a8a2dadaa9

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
89KB

MD5
87da778994620e795465be49fdd5eef5

SHA1
537bbda49c685100a0686df465b713fa8ed83111

SHA256
04d44d3fe9a6fe872645c9136da066fb87f85ba5ca9167c7142cd3eee92dd733

SHA512
bee630c6313fd6e97c45767317a88d5287744733349727416f3deb932953cbe1f1123f8ba33248c4aa107643df4eae1dc8603a49dee53b77d0bd5af5899f99ec

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
89KB

MD5
26bf47136700055b4535b11c2b7ea3c5

SHA1
b94f6a4a834b65305d67baad47c5139cc2b2066d

SHA256
71d6f3821924cf88f82e1ec04a6e05b6cf2871797e4bfb6c205be8c762f41190

SHA512
ccd5a04693d179f2495e222e5d9c708876ab09bf14f966015e32cd06100b91dbac9a9ebe3e9764ff6271051d352ff71b6cbc478cce3afc95bc4e6a90d98ba4cc

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
89KB

MD5
15af953b4d991577677725075099ab9e

SHA1
84e39323e2550e3e87cd054ae373a1ef7cdc298e

SHA256
1af23df2435806477836636da4f9eadcfe54cdf548ab411e4359be61067e61ce

SHA512
5be04fefe4360d1b471c43c6c63476f64537650ada198c6663c5838c21650e9d17b808ffcad51897870be3f300230d37351c85dc5a1a1e5493ee405369f5dbdc

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
89KB

MD5
188415c47f90bf717e24627a361d6280

SHA1
6a55a2ec4b9accbcd287be80512970bd0a9c04ec

SHA256
12cfa4b415416dbcb96a794f8129ac8b782b90396cb1ed4c819d48043ce51ba0

SHA512
90a69c6fd6f9d6638906d06674e8f9cc7c42115a046b219004b7af95d2b4236db23547bfa6d4662baeeccd7bfc0f6e5c49a0962dd50b969b675a1e9429baa081

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
89KB

MD5
84fbe28ea01105fa8fd7a6c81dc4aa9d

SHA1
27b4c97655a20fc792f181fb76d67bb8d2bafcbe

SHA256
7d6c9b54b9b17c4a729868dd7360ddec268413026c81b8fc0a76bf85e9a8d05a

SHA512
b32f08e43f10d68e0ba5454bca5c7ad34a236f0e2ce93e1cbb937c280fb4808dc93ad18992d444950055f5153684827677a5b70b206bb0930667d052db082122

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
89KB

MD5
289b6d4347dd18f0c4efd9a20534b323

SHA1
ecad64f2ac268a8fbfafecf23731a8d88d2b1fc8

SHA256
9c8dcb6f2d27bd7875f2c3fd9d1c880fdf22768008261e9be23e268953b6cf5e

SHA512
d7f878d1700def2422da6b68162d88e30aa48d63dbf7bc2394d59edf7f46b795fa659d13589b7aeebe84f9559a6838eca58745ff175abbf213325b200929ded4

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
89KB

MD5
f6395dc8339ee6f3fcd1399084b33670

SHA1
3a0e8d6430d72ccba48c836c9465a9980571f39b

SHA256
aa12a26005bbd2a3183ab6ca385527f86ffdc0b5728390daca822ad301e782b2

SHA512
d95d7dc1b7951a9677f4159e5aa6934613f4a22618bd110c1fba50f99e459a6322822e3cfa7d885f4cfb953037fb47b01af11240741e1029413113595e4aa674

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
89KB

MD5
84254c241a1131c50056bbd30956e837

SHA1
ee58f6bffe75e76c762db4dfa256ec24d4fc595e

SHA256
d3d7b9a697b975d035d25a785a08bbd70ebb484091e0e6ea4f83295cf363d2e4

SHA512
6b93b14f4418cd3347335c87f4f82fbae55f823e237e63c0ce0569fcc9650b92cd13d4e34ed30d674148f5024eeb7fb2edfc42532e6b9d380664d67b9b7160bb

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
89KB

MD5
cd230a93b771f2a4a2463fae5acefdbf

SHA1
096f66bb70b84fc23bde36eafd8a954fe9fd264a

SHA256
3d666eeaf4512c9659971e1de4aec2e4059c1fd9ed7cc9aeb94618debc5ca436

SHA512
abc14c2111afa8c8792129236b99c370c61fa283e5dcb985ebece1ecbf4587f20dbb63fb8166fcf38046c6a8bf966edc801f8f872d80580d8014edd9e86ad1c0

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
89KB

MD5
cb740555ab101bc773d24fee1e4ba65e

SHA1
b641259d2234e91a57defbe163d2217e171d76bf

SHA256
a13e0f910311f9ad773ffa938f99fdedf3e9a5b163363dd2138dd4a324663c57

SHA512
f04648d702530ff5c52d0b8182e3e0f329385f6ad5c424953e8aea1cc3061fec687d9e63dda254f4a09f9ae041176109432dd6e172d8649d62b31a2ac53460f2

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
89KB

MD5
0513f180c0f355118a613d17f5e41748

SHA1
979d5b7411aa8148c5b359e973f13e0115c8b748

SHA256
11bc9641061ed5c1d87f14c82b32d8d993b6d9b134c8c7bc84cf8a9691828489

SHA512
7fac7104b47f4586b07529444162fed816c7d2fed9d42ef0ddc34ed6bf3de20e0b7169e88b38dd455df7548f5bd3c9c32a714a05b818842a6875ee5caac31196

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
89KB

MD5
94bcaef4a738aa471104b596fd6e62cf

SHA1
ca998ab161a14e008dff156db4257a6b4ee94c36

SHA256
abc6d9e28fa8b215c11761b7e100f6dac4f3d99177d0b4da1d714b90ce76283d

SHA512
615bc480e34238a283687c6909fb76ff053baad6587b578eed325ba03fdbea7f3921f5b4747efeffb42d4a016366059d7507a057e39fa90ea3dc030e509a8dff

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
89KB

MD5
4be48bf9dd29c6853b3560ada13e7ae0

SHA1
e39b425ef18d27c241d2863a9cfdcc38c9c43351

SHA256
410b800249b3bec3e7f2aa37724b98a4dd1e220cc86317c4d18e3d9238f66d17

SHA512
3875a9e55122985db844653a0ed7a2bca97003e2cea63bb4175e3b527f502a3d5fd3e586fbd42bba2e664bb8f5ebf5b3d1a0ab6e3b4fcea2ff87bef9b3a76f38

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
89KB

MD5
4651fe223e8c161d64dc4ff298487b0c

SHA1
ed575f9078ea823551471cb2a7b9a635a332b11e

SHA256
5160c4ec5b2f966994b29fa38dd3577c5a2b11381a240459633c9a12649e2976

SHA512
4e4b00d3ae3bbfe7d74a66872a177761fb398fc2d572cd8dcd994ea330e2b4a0d2f065eb2411a06a219dd0c9d385a2d4a9ed8d08f557dd997551f81007ca259c

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
89KB

MD5
b97140c9378198ab3280906276d82177

SHA1
416ff1993f8a7917a4d65e8b3a546f73ed8aa0a6

SHA256
b6c823fda4575e0009205ea418582dcb37d90faa9049c403003e40e1b50e4ccf

SHA512
ec6a811f3f01833d1c6faa9b48a80dd2d276fd59e2b3db1fb0774fb8d6162665bd2cdfe5e24dda1caa119a68a36252407f759327f937038230b9717b30f3f432

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
89KB

MD5
28d51dc75226b0b0fd934c86e0006a1f

SHA1
4d507a23a8007b5f99535ab430139f9d46ad950d

SHA256
b882d5c790b284cb189271f0a06bcbd147546edeb21593293a3c1b5f53501d4b

SHA512
1310344165c542ffa950bd11b0137d3fe8c06129ed1c00c2175b56efe71fc93080988c1514b132c883f9ba8ed60df64da98edf51291185c91304a6a47a29d3fb

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
89KB

MD5
90314342c1524eaedda3e9f1faa4bab8

SHA1
37f47c52983affc764a0ae5d94d6fa3de50722b7

SHA256
88a1669a825289b2ede5ad7783e23485b717c1d68f6a5a8f68d03bca9d421bbc

SHA512
c5a5927185613e43138f1f6f6c806e5d2aa7703dd9587be40b6aab4dbdb9b3f471a39b57db2f6c59c9dba9db6b181fd5d84f72800dc335b1a833368afdce7334

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
89KB

MD5
d25b76440172e43433dd06317e6fd384

SHA1
2bd43de54c04f58f82aa68439700fca6ef9bdca3

SHA256
ea544b72092e073f52a072c53e4ebcbb7e08a9a47d045f8fb65ebdee909427ba

SHA512
4e5efdb0e428a3bedc8ba1bcb1c25452c425a0b6dd997f214b82497c3466290b02b1db457a8b0493e163f6de3725aaf00f611203a52e702eaa5fe8362010cdc9

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
89KB

MD5
1ee944d3f987d8be0c5aecd0ec91761d

SHA1
cb8d225d0b79d1395d3ffcdbbedc087e6d94b909

SHA256
20bb9ffa668a27cd0b2875288937193fafabf15c8936d4a84981316346a5d156

SHA512
d7f6d1acdc9a5e09d1746be5310192d2c69356c37eda2f34ffd00a547a0a34763e5eb8213bc3570d64b958d8474fb867be30331fde53bf7b8f19245bbcaf4a16

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
89KB

MD5
9106b1de72b219a16596d33ae51962c6

SHA1
fb02670ef0a24212040626046c6f0bfbd4270340

SHA256
da901de5341c850b41a66e25e126b96cbf663eabf30917ca1d615756f87f75df

SHA512
ed4695bb7d28b0b158a6c6e4aabf0757ab478d8f856787a59cf33b8d5931cca532e93d5307a5b5e9a5da92dfd8bfc9e41218e54195c9502c492c9833953831dc

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
89KB

MD5
b36f5f8c737cd3b1e2f6a393c22c3b96

SHA1
3c4d55accc0e79342ea4b26760dcd62924b34303

SHA256
21d45374a3b6dd9e2ce24157047ea0ae79a5405af947af4ed664593a4a68df14

SHA512
1aebac2315de7853ad7f716b48770fb1a9e4ce6ce9a2c62829fd603a705192152aeabde91f1af84c0be4635571ace5a58ec23f4fe0f2e72f991ee19c2b74cf87

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
89KB

MD5
bf0b7fcee4e6b3d8e6fa2a56282cdcb2

SHA1
4c81f8593f200f8adfd735de32f563ba1a431ad1

SHA256
e0c21aa044faf00f08b62d6ed98c1b6fbf6d7280af21f7d8437eb75bfb0e244b

SHA512
9b35dd4b9b77178ac4c420bf5ad2e2b0a4c4610f4319e409e515fc8d60f01b1049c6a594c370d08809e61d36cc42f013a46de512eb4317a008e059960239a630

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
89KB

MD5
d95fb06681bda424bf550f87eb0bfe85

SHA1
8c9c46cf54b75c06e09ede06da9046790374b437

SHA256
a5fb37237acefd515da43028a2e09a15f7114f66ac6df5dc560ace7776540036

SHA512
0b13057125d7c7afbf327343903c5baa3abe7ba5e11579f0f5487490e5666dede6c09785d93823d36418dd107fd75ad8197184fffea6992467decef4db51c753

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
89KB

MD5
4193f9b98d2b33077964ddbd4b3531b6

SHA1
3d51e62d8a0b205074b4151868e342904e0d6bbf

SHA256
4ccdbf29d981c8c3ec89440e193d7d6e6854ccefac85a169c31bde0cf8aa5e83

SHA512
bbacc06cbbdea103616ef4b42bdb6d5bf15b610c45323aada6a0e1470437e547392d8f1779918c1b8b5f5654b1b46ccfba82ea3cc9f7fe8c9322d331ec6001e6

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
89KB

MD5
65833a02f5d9a32cad87ee50b20f6ca1

SHA1
1d6cfddc935d708051f4368e8203443c69b1d827

SHA256
21ba0d516813039ada0160760b0e5e753fec452f5e09bb00b9782931103de5ba

SHA512
0609a4de84c2016d28ae64519f4ec43a1caced303f584cf05d9c5e802b69e96cb17a602d89d0da83365e608cf05488d08422be0ef7dfadc3a18b48401dd4698d

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
89KB

MD5
389ff04731904264e0b1ce5c07642380

SHA1
16208b9dccba2be4fb03fd6d2f93411d43be2ecf

SHA256
28f440c663247796473f2c01b11a19edcccdb5e344a1a5eebbe95c3b48f3c56f

SHA512
16c472bff789062da5b46610b516947c0092b7f06ff98bfb7396a5cafd17fdd9ef18b835f74c69d49810066e9506ff318bc10cbb48406513de4977632a7871b9

Download Submit
memory/320-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/572-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5180-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5224-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5328-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5448-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads