8e81153cb04ddea56319e8a2c28b07e2cc6199a39af454ec99fe6c9fa0023508

Analysis

max time kernel
111s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7b17d7f7bf237e85429fed56347e76c0N.exe
Size

109KB
MD5

7b17d7f7bf237e85429fed56347e76c0
SHA1

c1f9d85ec2dff8c893a93b34b719dcb6961cc2a3
SHA256

8e81153cb04ddea56319e8a2c28b07e2cc6199a39af454ec99fe6c9fa0023508
SHA512

b43185ea4af49f61e4f03dc316fa5a027984e9f5d8b2378ec5b2e9f479f1439dfccfa055adc6b3682977e915a0b01604624be5a29b14a18470055a4911d4d115
SSDEEP

3072:fMdiAxBI9nJNFJ9+LCqwzBu1DjHLMVDqqkSpR:kJInVJ9awtu1DjrFqhz

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7b17d7f7bf237e85429fed56347e76c0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3616	Ickchq32.exe
2320	Ifjodl32.exe
1080	Imdgqfbd.exe
3900	Icnpmp32.exe
3784	Ieolehop.exe
2476	Imfdff32.exe
4972	Ibcmom32.exe
1212	Jeaikh32.exe
4804	Jmhale32.exe
1436	Jpgmha32.exe
1468	Jedeph32.exe
4932	Jcefno32.exe
2536	Jefbfgig.exe
1156	Jlpkba32.exe
5068	Jbjcolha.exe
1000	Jidklf32.exe
1652	Jlbgha32.exe
2912	Jblpek32.exe
3216	Jmbdbd32.exe
3380	Jpppnp32.exe
4744	Kboljk32.exe
3800	Kiidgeki.exe
536	Klgqcqkl.exe
1452	Kdnidn32.exe
4772	Kepelfam.exe
1016	Kmfmmcbo.exe
4884	Kpeiioac.exe
2420	Kbceejpf.exe
4580	Kmijbcpl.exe
4700	Kpgfooop.exe
868	Kedoge32.exe
1696	Klngdpdd.exe
3668	Kbhoqj32.exe
4560	Kefkme32.exe
220	Kmncnb32.exe
3708	Kplpjn32.exe
1892	Lffhfh32.exe
4416	Liddbc32.exe
4684	Llcpoo32.exe
1536	Lbmhlihl.exe
3568	Lekehdgp.exe
2816	Llemdo32.exe
3488	Ldleel32.exe
3640	Lfkaag32.exe
5088	Liimncmf.exe
3848	Llgjjnlj.exe
1832	Ldoaklml.exe
4856	Lepncd32.exe
3624	Lljfpnjg.exe
4892	Lbdolh32.exe
4340	Lebkhc32.exe
4072	Lmiciaaj.exe
3204	Mdckfk32.exe
4376	Medgncoe.exe
5012	Mmlpoqpg.exe
4768	Mdehlk32.exe
3524	Mgddhf32.exe
1924	Mibpda32.exe
860	Mdhdajea.exe
1772	Mgfqmfde.exe
4964	Meiaib32.exe
4568	Mdjagjco.exe
1564	Melnob32.exe
4600	Mlefklpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Jbjcolha.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Icnpmp32.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Imdgqfbd.exe	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6744	6612	WerFault.exe	262

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7b17d7f7bf237e85429fed56347e76c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ngmgne32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3616	1100	7b17d7f7bf237e85429fed56347e76c0N.exe	85
PID 1100 wrote to memory of 3616	1100	7b17d7f7bf237e85429fed56347e76c0N.exe	85
PID 1100 wrote to memory of 3616	1100	7b17d7f7bf237e85429fed56347e76c0N.exe	85
PID 3616 wrote to memory of 2320	3616	Ickchq32.exe	86
PID 3616 wrote to memory of 2320	3616	Ickchq32.exe	86
PID 3616 wrote to memory of 2320	3616	Ickchq32.exe	86
PID 2320 wrote to memory of 1080	2320	Ifjodl32.exe	87
PID 2320 wrote to memory of 1080	2320	Ifjodl32.exe	87
PID 2320 wrote to memory of 1080	2320	Ifjodl32.exe	87
PID 1080 wrote to memory of 3900	1080	Imdgqfbd.exe	88
PID 1080 wrote to memory of 3900	1080	Imdgqfbd.exe	88
PID 1080 wrote to memory of 3900	1080	Imdgqfbd.exe	88
PID 3900 wrote to memory of 3784	3900	Icnpmp32.exe	89
PID 3900 wrote to memory of 3784	3900	Icnpmp32.exe	89
PID 3900 wrote to memory of 3784	3900	Icnpmp32.exe	89
PID 3784 wrote to memory of 2476	3784	Ieolehop.exe	90
PID 3784 wrote to memory of 2476	3784	Ieolehop.exe	90
PID 3784 wrote to memory of 2476	3784	Ieolehop.exe	90
PID 2476 wrote to memory of 4972	2476	Imfdff32.exe	91
PID 2476 wrote to memory of 4972	2476	Imfdff32.exe	91
PID 2476 wrote to memory of 4972	2476	Imfdff32.exe	91
PID 4972 wrote to memory of 1212	4972	Ibcmom32.exe	92
PID 4972 wrote to memory of 1212	4972	Ibcmom32.exe	92
PID 4972 wrote to memory of 1212	4972	Ibcmom32.exe	92
PID 1212 wrote to memory of 4804	1212	Jeaikh32.exe	93
PID 1212 wrote to memory of 4804	1212	Jeaikh32.exe	93
PID 1212 wrote to memory of 4804	1212	Jeaikh32.exe	93
PID 4804 wrote to memory of 1436	4804	Jmhale32.exe	94
PID 4804 wrote to memory of 1436	4804	Jmhale32.exe	94
PID 4804 wrote to memory of 1436	4804	Jmhale32.exe	94
PID 1436 wrote to memory of 1468	1436	Jpgmha32.exe	95
PID 1436 wrote to memory of 1468	1436	Jpgmha32.exe	95
PID 1436 wrote to memory of 1468	1436	Jpgmha32.exe	95
PID 1468 wrote to memory of 4932	1468	Jedeph32.exe	97
PID 1468 wrote to memory of 4932	1468	Jedeph32.exe	97
PID 1468 wrote to memory of 4932	1468	Jedeph32.exe	97
PID 4932 wrote to memory of 2536	4932	Jcefno32.exe	98
PID 4932 wrote to memory of 2536	4932	Jcefno32.exe	98
PID 4932 wrote to memory of 2536	4932	Jcefno32.exe	98
PID 2536 wrote to memory of 1156	2536	Jefbfgig.exe	99
PID 2536 wrote to memory of 1156	2536	Jefbfgig.exe	99
PID 2536 wrote to memory of 1156	2536	Jefbfgig.exe	99
PID 1156 wrote to memory of 5068	1156	Jlpkba32.exe	100
PID 1156 wrote to memory of 5068	1156	Jlpkba32.exe	100
PID 1156 wrote to memory of 5068	1156	Jlpkba32.exe	100
PID 5068 wrote to memory of 1000	5068	Jbjcolha.exe	101
PID 5068 wrote to memory of 1000	5068	Jbjcolha.exe	101
PID 5068 wrote to memory of 1000	5068	Jbjcolha.exe	101
PID 1000 wrote to memory of 1652	1000	Jidklf32.exe	102
PID 1000 wrote to memory of 1652	1000	Jidklf32.exe	102
PID 1000 wrote to memory of 1652	1000	Jidklf32.exe	102
PID 1652 wrote to memory of 2912	1652	Jlbgha32.exe	103
PID 1652 wrote to memory of 2912	1652	Jlbgha32.exe	103
PID 1652 wrote to memory of 2912	1652	Jlbgha32.exe	103
PID 2912 wrote to memory of 3216	2912	Jblpek32.exe	104
PID 2912 wrote to memory of 3216	2912	Jblpek32.exe	104
PID 2912 wrote to memory of 3216	2912	Jblpek32.exe	104
PID 3216 wrote to memory of 3380	3216	Jmbdbd32.exe	106
PID 3216 wrote to memory of 3380	3216	Jmbdbd32.exe	106
PID 3216 wrote to memory of 3380	3216	Jmbdbd32.exe	106
PID 3380 wrote to memory of 4744	3380	Jpppnp32.exe	107
PID 3380 wrote to memory of 4744	3380	Jpppnp32.exe	107
PID 3380 wrote to memory of 4744	3380	Jpppnp32.exe	107
PID 4744 wrote to memory of 3800	4744	Kboljk32.exe	108

C:\Users\Admin\AppData\Local\Temp\7b17d7f7bf237e85429fed56347e76c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7b17d7f7bf237e85429fed56347e76c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Ickchq32.exe
  C:\Windows\system32\Ickchq32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\Ifjodl32.exe
    C:\Windows\system32\Ifjodl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\Imdgqfbd.exe
      C:\Windows\system32\Imdgqfbd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
      - C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        38⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        51⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        53⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        54⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        55⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        56⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        64⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:636
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1980
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        77⤵
        
        PID:628
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        80⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        81⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        86⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        91⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        92⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        93⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        94⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        102⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        103⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        107⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        108⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        114⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        116⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        120⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        123⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        125⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        127⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        129⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        132⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        135⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        136⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        139⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        144⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        148⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        154⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        156⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        160⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        161⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        162⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        169⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        170⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        174⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 416
        178⤵
        Program crash
        
        PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6612 -ip 6612
1⤵
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
109KB

MD5
c5850663b2443c602e69c7e9a2505782

SHA1
1a3ca2cf0dd4c61f16c6132b0c1e127603c20ab9

SHA256
98e15968f3c9024af6aa52cd96e1b7f924c8ff3f9f8b9c4393e1bba092b97717

SHA512
0bdfd3306fb547c34dbe85f3ae96f12081b81b70b49b0e027604d8dcc7592b7ae7e2edee09c85863e26958a6028a196f13f2a0795232151ec85f2ec01cde20b0

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
109KB

MD5
1037488d40a52f0894536e8ab179a73a

SHA1
6dee23876db3c7efb7fe23d9d4bf720fea9559b9

SHA256
3ba8d2bfc8e5f8e540e48f38bb11db91a78ac10f53feba73930904a59b4ea3c9

SHA512
63131bed7d15bedaa7fe057137a8ddf5ba2f8804fc632014fb53601fd1e9524dfb6bd3f0773cc55ef0899775962caa5bc4598be900138b637ea4070132733571

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
109KB

MD5
04b5493cd6648415637b466e7b78fbe0

SHA1
2fbc7edc8cb3055d433a9adcaa0df9155cbe6747

SHA256
81bae283cec840be26cba3833a1184286bf9633846053c036f99d1c47c38ef74

SHA512
4ca29b070ca9da45d88f240a1101e69ee7ddb21fd7f54fbc3a718f67cc2a0a64bceff95d8ba414584ae2ceb455350ff97c2c879987bce0699b4fa1a78ea0a32d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
109KB

MD5
a30fbdba3160a0a85edb057d25eaecc7

SHA1
bdd9f13f9c291d2f8c52e697e7037cbe50db0e0f

SHA256
f1cf47fdb0acabe7ad291ede55e640dd700530db2eeb8aa93e500b8ca6d5b7cd

SHA512
b68a60c130a180323a92e4b0dde1cc62ffd54927231c48b67a57b4a362e03cfb74de33df599949afad43d519abda1520d250467971ee18dde82cbcd0da852d7e

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
109KB

MD5
d12ebd1f0aa27188ef5fe557917033cb

SHA1
1ed4bb3c519a929ed1e0b6ad272a57e9f1d00b1d

SHA256
726f21ba348be4a435cb38d31e04d2858946cbeb7015a8f7d4a149ff1b777edb

SHA512
d2324aa8e7cb6a7b98eb751952759b4cf9335f0443767d6d5ee70401edfb96d276236542bf2c916d073cf29f73fe6810bbcbe883d1fbcb57d99f9569f4b0dfc0

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
109KB

MD5
db20a8cfd893a6a02444370e9bb61821

SHA1
47a24c4a279d02e9a96841ec7372f1112e4b3ef6

SHA256
b43900419a1d118e1437b9e1b5c8a01cab1826b26c0f90ab2e7d1aba7f2b6c5c

SHA512
f527799c607c72d5accd7fa548dac130f09bf5380d74a9607bf53d8bb084cbfd8b41f2fcc3747027c1a5f738bae3cf24f5047efc524c6ee564de68e02b477cc3

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
109KB

MD5
9369efa047097ad083230b8c88519e57

SHA1
d8163962b5f40a55936528aa50935462ebdd39dd

SHA256
2945e0fbb2c618738c1bd902c4a25dcb3a821df93e16ae7b7ad5733fdf15caec

SHA512
b36c894b40535035ab49ffd816561fb77745e5147656dfea16d8e80da2da39ff7a260bda6d7fa02adb3eabc78778fca08ebffdd38b8003f69562e556d4c9ad9b

Download Submit
C:\Windows\SysWOW64\Bkblkg32.dll

Filesize
7KB

MD5
392b232e922451bf81fe840f0e826870

SHA1
3559fa7d157fd0f0c018be73ede5e5d95fa00f52

SHA256
e02d8575005503365c54811c558b6bace36b5e6fbe4c1ddad4c2a4490f316557

SHA512
41f2e566176c583428292272007a8f14a6931966b00c322758c0ac8601585a9d25ee815baea2e45db7f6c102ae3e9b3ece6fe3fc8c2a57f21705e366b65c597e

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
109KB

MD5
e06e511cdd248cb17a0d8b770915ae8b

SHA1
94af8d2eb56e6e60e4aabbffb6ce3ce4f8f039c3

SHA256
97cbf4776a4ccbd7cf21057bb3341052fbf1db173bd518787a23a2a4390158b0

SHA512
9b43ba1ec34663e97e1abb256e864273abdfdf4a5f7aa19067c2a0d90ffd9ddab7b044485ad2639c0b0e642f6cb5085471f7e21f006e7678537415dffd190ef6

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
109KB

MD5
26073780cff4af5d5c7e727016c9c734

SHA1
86bdc9f46d70b198a16e36321b4c5fb1bf82ca8e

SHA256
0cdebceac997dfb621c25cbfe41c85a14a6165c1d89fb12ef96dc2f0f054a1a5

SHA512
102993d6d6d08ec7451de78d93e7026aebb19873011f2c39e2b9f7bef74f822e2beda7eca2dc03ae8d05e1ce48da7a408c2a1605b37fbb338f254550a4e2b9e0

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
109KB

MD5
26de98e487a70ca20fe38bb54ee90d97

SHA1
f1c9eec05a4a5015981678d6923f7b1443b99fa2

SHA256
56a758e775e90e05b7513a68661e9bbb9eb85aa83bdbac6a3d559e6e6e2ecafb

SHA512
6325f79d0ea427a19ca7acfd511f8b60211f8862512d37568238938dde7c6957aaa6cce148d97de51991b44543e3700879e15b46a5b64092661791a7cf5ca867

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
109KB

MD5
7d29f8f71b2c480ed6cd21a6475631e0

SHA1
932a70da50e415cadd3a1ba003f29f32da607833

SHA256
2dfd129a663e33175c6a533c4b27d46ee0d1f2762ba0eb939fa2ec4e9b0e3d85

SHA512
bf60a415554931605b228e1bb046cccfe368769e22b55d39edc8086812b19f29d16dd39ef3ecf38550fc9736a0be0e077488592669fc11b8f3d125b1e5e028b7

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
109KB

MD5
137e584cad57e6047d69214323573af9

SHA1
2c7b510312f4ef8b624bc68c3a0cd1607521d657

SHA256
525a132945c9c1502fdcd7b4d9fa58b464251f1de6387e47721062c1116525a1

SHA512
13f7fe1c2127954269fd3da9a79ae2ddbc4c2f0ae71f2c7629835d6ddbacd4ac2bd68e4d09140806d1ea4c5dd6f2d647bb4471fe9536e12d78fa9e3d37272aae

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
109KB

MD5
6ebce5080a05417e1e1aa26bc4cd01aa

SHA1
cb105bbc8a8a67aa3d0c9ddad9648271f3454bea

SHA256
63d475357477943ee51a78db38274e21b6bb4a67125048a5abea01f3453ff1e0

SHA512
052c725e124c1579d7274282ff710cc5e3f358efb02adba94b5b3fe78767ec807310efe712f40ce3b4b5759be2e358271d6a781094591a3a155e8b12b047645b

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
109KB

MD5
706cd5a7817167061d45ac0310ae700b

SHA1
8e5836b5dca6eb01df46a129d4eae8712130b91b

SHA256
2fd0f2f0e3d42cfbdb2ad9bd9f64b6266e94262f8e733ae6b848fe3427924f36

SHA512
3e2add47d52564bb948fb95bba1abfd29fcf84c8ee76112f2e7a7d60747276813b84ac6c7bd3c71c2def425e96b3b4cb7f7eee35a85ad703be89c1c1f5d27f5d

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
109KB

MD5
c7517e6587416933d674e9207c7888af

SHA1
b5d1ab587219ea3f7850af23df480ada5f584e53

SHA256
5137fbce95344f66c041f8b81f6b2cf6da3cc6b61aefabf82a71809e4a39368c

SHA512
8745ddb2499cfa0135eb69aca481a897b6f41635c4e73e99901c86753c5eb3176dd383f72fff0cc1e36d4627a509e275af5d3e918c6aba019cfe0de21f28fa4c

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
109KB

MD5
e619449adb20ac96f40d2cfee7258261

SHA1
c8aea1c85a665fdf9de9745bf70073e745caff6f

SHA256
bc02c9819ca19311bfba70f500921eaf10be544cfe79c2657b2e4c381ee19f65

SHA512
1fe5bb988a95a5d320393ef5c7b974f181586a9731c58c37447314be565e23d6d3771f5f9db74017c1d2b0b6da0edc0b464d60b8a8fc366a8e8b591e9c28c255

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
109KB

MD5
2e96870e3e054e413b433262c4836d97

SHA1
2e483e4ba4b97798b45a40e4e3378b48cd2027bd

SHA256
1261fd5075635221ce67df15d4b40c642d3ceeb2307006c4f9875e781a03a267

SHA512
ef77f49b2f4e623b0b8a9d68388d5cb9ec0a9106460df9fd174c4f2da6ecce3b0d4183714759fa1c67e2bc91a96300d5aac59ffeed987fa3d084306a7a7e97bd

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
109KB

MD5
3e1c34fbd519541440cafc419904691b

SHA1
677841776345fed3cff3b77bc78e745a0a3552f1

SHA256
8d9ca232f03961325085af7a9206542a7431bcb541722a76257cb68bb14f277f

SHA512
0af29c007d1fe58119bdf1a6804f71f48f07f5ff175c25b4c9354de2f154743fd9236261fe789da77f092276505c448b0481fc44f407bbae0eec649ba8a1e646

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
109KB

MD5
7a8a9e608a51ea6169ce5a321ff84296

SHA1
83af4a751dc3431d7cdd901696df405581eb782e

SHA256
99f2e7dc504126f8b8ed2fc0fddd3333ca7e8954902e0fe84f417d7e443eca51

SHA512
6ac4d55383f2ef0b792dcb98a47b04a0eb6f2bbf1f9a5d03d171a3a6aa5ad76d5390ebb0f8d0a26a3ad3982133ba50264e368e79ff66f81320fd15b36991386b

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
109KB

MD5
08c1c5a0271f242be7bc33855193d5d8

SHA1
0abd3df5461860ea16ef58b165a9b73833662cb1

SHA256
fa41cbf22aa518e1657df1b774f316859a499faab6f3d2955c1e0954695c48c1

SHA512
ad53f0001152040cb0f4d06a364c2ebccd6fa2aeb62256b51570a8764a1ec7902fac76cb0f2115ddc74fc5c8c308f03e08b38da1df8d156a1bb9d2e770b51562

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
109KB

MD5
f89f95228ce71d4bc75f6d85ff0c7577

SHA1
b34e0227a984347c9a38f954b5dd6651092be7b5

SHA256
2e6ed3b9c801c2ee501bd0c4f00eda388af716738afa3539f16d584889f6cc4a

SHA512
dda7ed9bd7ef7f70e619350a2fb0eac577d98a6542902aa43a16656c3708ee9f261f431a354dab90696e53e7d4307c2b0f7cfc3b12193feabdd8159b419b89c3

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
109KB

MD5
93df8446158f0171c22137f1d533975c

SHA1
62a8f8b870375781133891711fe6ce88f9c2f77c

SHA256
018f3472845ece1b364ae84c3cda9009fd66cc3bd775316cdc310a950777f756

SHA512
bd14f183b3c70b27e291abe6fa4537528ecb18eb51c757b974a620c84edadbdf68cec9c4b7d95b6c0ca9c09097fd4e04f0386b6002bbd61b306a443f711c2ec3

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
109KB

MD5
a05524d9ca6af9c3cffa9a354f6e1723

SHA1
cafcedc1799f0bc45b5c814ab99b4cc022fd90bf

SHA256
7c5b87e0e138b82938c99f57a460fbb35bb114e7010e7f65e32cb059767f24b6

SHA512
eb94f07a5040b84f09662d7ad23ba313874e8d15a6ebda2b07a9ed914c02a132e8ef7871604b7da729419127e62a523107be773c38654cb11210f131c1da1a2f

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
109KB

MD5
cb31ce18a26cf0d3db42c7d9250802aa

SHA1
167876ca123abd2b296c2991f1c9f8bda7fdd31c

SHA256
0309279eeb63a69926135773cf37493e2692875cbb8b1506d7ad7ebdee34a6cf

SHA512
66b533fea5ef029957b29e26f6e2e4a1e0c8a9ef9b79556132d1be4cc125908d8fccc064b71f2c2707136e5b3c9193208c988cc29887f5bcb077a6c6fbe6ff10

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
109KB

MD5
11880ee6c0ccb6e69ee317ef5a463405

SHA1
0a01328d326c2b0981763ab0f54a9666e81c7745

SHA256
e8bf8985093d7a9dab0acaca6d8f64d5c7913ef16d906751fb38589d64af8676

SHA512
5726cca664163b562a69ed3286b43f6011fd74c307e6c786e82f74d819a99687884a327c552727c826c0074cfa837168a0c2d5b939ebadc2c4fd6dbc61a0a62d

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
109KB

MD5
ab545dac4155a78e1f0425ef7e24771f

SHA1
469453fff1dae37d2c1ebb020a13ba84f4c53a6b

SHA256
15c41b2ad4f63f65a07272b486b16107b255f3e75289e829e200b9ecbf92b6c4

SHA512
37cfa3684ca17d1d196ff3fac08bef8f39d2e59969ef047e6bad1ac9dfcaa98a1ca32bcb895086c742961d1b488fbaf6d9cdf0f24de7f5a35c1e290e47f04217

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
109KB

MD5
399653a6848c0cd959fb4c6cd6650911

SHA1
b2899350499c633146a882ee97e9456c956de5ec

SHA256
222c349b0bccf2023b72b3e9b17d50c4a396de9f2cf666b690d3ddb1895e27e3

SHA512
e61cce45817844680b53f2ad2b1e7a1d6a84a2d1ed32d8efef31331938e67a8ff9a904a1014638c300adac43d2ad6b615fa514f2d1fb6553eced6b54db509f81

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
109KB

MD5
2493f961ff6f7d93fbaa008300691d5e

SHA1
bc6ef88b21891e92d84d1b9e9f6a0d226f114e76

SHA256
a036a489a1b659f25adbd18c7e0e507f4e68057a0bdbe477121c196f9f1e6042

SHA512
d25fc6d0f57921d27b1245ff53b5313ab7aa40ad25f4a358a804f1dab79fd73b8b75c40237cc8a1ca261fafb24dd173cc719295344ea35541198bac90342c3fb

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
109KB

MD5
2ea4f3d352fcc82091a265a08cb7e7c1

SHA1
b2abf6c833b1e3f18046cdd307b250fe62055925

SHA256
67b69eaa30eb4e85ff119f0303d898cae3afe926a853eddce0d052aeadbe1099

SHA512
4683996f369768f7af4e86b3f2edcf44faa9314fec4da361e91e4f57664b0e1bfa517de7f00893b5ba67ebce5fe47a8188882e1dc361fac8c1bbee9728a4f1ba

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
109KB

MD5
a43fb40b5a46284b6f745dc00785bbaa

SHA1
32fffcee98f9efbb2de61061e6adad6a5aca55e9

SHA256
5484daaf79f81518b46561998831ce5ffea77ddba0439fa44def11d8dace8917

SHA512
339944c5b394bc82f487a3e789ff4e3be5e63afd222b8e2f01c7800415f28dd4694ab9be0c1af952e79e475553c48491c7d26358177470240c730c2eeb3de455

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
109KB

MD5
4d131386e85c6c62300183c75e6f1d1e

SHA1
ac31cb3394b371f6f22ac303b8a4d651630a8cfd

SHA256
aa8b56fa60c6f942bbba927e9a07b513f835a71d4b13e8a45d93690be60ff025

SHA512
2aa12ca3f4e3c49fdefffbfb70ddfe53d05fc71ec7a5f9e2c47d1a62df64aee9029fddc043c2fabde0dc508dbdac536e0d57d53e0a242d3b555c91c791dae705

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
109KB

MD5
7c22c1ae1c0dd560d64cf806a92dead0

SHA1
145298e2b7e279a7ee7d760df0d629814f8a92bd

SHA256
8a6722a4cf1a8c19871dbd2a68d23671409115af5f4455e6ebf49bffb0e81596

SHA512
7e37445d7ba521fa776590539fbe68b143b3aa18388288644e322fe639b5c6e392a8e526daf2cf370b762de9c1a8059af73e742e7dcede99fedd9750abecafae

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
109KB

MD5
07fcfe0e5e394ce65128e471beb9e874

SHA1
e20067cdecf7f9e010bd7b3b71c9e5cf6aec4ca0

SHA256
0d26cd7b1d22adcef81ea7e20ebe8347fa17f7a2c99066f36ea550d9b171b842

SHA512
70d73274d0be73d30e19940927364671f9c9a38e1ede66108f458ab3cc81ddd014720aaef3b624e4ea80cbb46158b0b862a51288b4488797a870c8101eab546b

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
109KB

MD5
07e53f10f7bb9f1546d3c8a295b97344

SHA1
e5e446fe84bcb9e78cd590300a068409f192c386

SHA256
0a3daf37fc8d0375645225b5c8895226006f00a98036a5049731777177bea348

SHA512
dc744792a987c97155f4237c4889ba420745b94fddff024897c9a2f33eda48620dfb45594c0a45f72e764c9b6dffe6091eb4eaf00d946f105cd2b1984b7462cb

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
109KB

MD5
aa91dd7d6307d2731063c22a88028f61

SHA1
6e8a7a328477ccff00cacaa5e821ad7afbfe40c7

SHA256
95e1964f83e83ed5e3142dcb13321602075dab1407fabeabd12db4116701d6cc

SHA512
7baff39757ad3c82f9194cfb2cdc3158e1572f830cd6f067a23bbbad1d7e5d98b6ab6d9325dee7e9bfe1a8eb2e77f1576a3bd27cc549e027325905391779fa3f

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
109KB

MD5
dbdea4732626499bff46f4bee9082821

SHA1
551456e6d9159a1e56d23724e0895570e0e2816e

SHA256
a3b96c81335a9cd6adbb10e5aedad27dd5b35877c31abba0d74f54a2432cee60

SHA512
4587455e4146dae805dcd392ad080900fa7b71c64e67a3459f29dc5bdc19e9e02bdb29f3150ba1b0d62a04f10c56d18a0a7efdb5f0905a19660365273d8c6ac9

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
109KB

MD5
d00144511e4761ce9647239d2ce070d7

SHA1
84e7fcd912c22027b4d317ce069e68c0f9e11af3

SHA256
5a3b0e53db63da449043ff91ecf6d2341b6e90957477a18f7d87a26fdd17088a

SHA512
e0a62e1aebde15cb119846220b4ac0cd22b31dd2e56ea50110d573311ef828abff720d36902b422fd684ba134e5781eefe5437f45190c7dab196ee2abf09ff9e

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
109KB

MD5
a5e66d9b9bfe7bc4a5079595ba5d8535

SHA1
6600aa0ee54e9c1305d75e83c681cb7f060e7bec

SHA256
aa6ffc52cdeca535661bf42dfa0deaa9e4e5ba1b03582806ae000a88bf1e44b0

SHA512
61ec7392331fe836b1b0128227fc0b584f557d34672d5a02951c2156e2ca49c1cca195aef9e35c7f67f38ed9666990f5e73c3d01e53dea1db31a020c53872cc9

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
109KB

MD5
c0710a0c8e1142ab75f3c8f410dca07d

SHA1
3df3224169ba541b5964fb57da56dfb2a2c5a09f

SHA256
e83ddfe880fdedc4892bf07349301ae2cd5128b20bbd7b832ac707b2aafcd149

SHA512
2daa26a8972c0830b04ceacc19a42b3a7d3fcffed4ec92d8031ac1a5dc56dc23fda048057d7223cbd806a66f86f262ad0e032eac11d45bfa7fac82a5b8822c7d

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
109KB

MD5
5c52f75f7b21dd1f2730df7bc9e7b152

SHA1
aa39e166f5250f969a89c476dd99c45bf694ca97

SHA256
8b420bd6ee6d170507a9aed84e5c218419f9dfee5818dedc5c2f78b97f54c62b

SHA512
f35ba0eeb7a77a9b5c27b873acca19610a573957f62ccd18d6790677d1c371b4d8b545bb039c8a6b8dc98f0cba8edec9a4e0487e55e7a9f06953b633a0381213

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
109KB

MD5
554afab56b00363a79be2811c781d261

SHA1
745d726aed9a9db842ce7e80d38f4fafd414ee65

SHA256
36faad06afc3c028c94d83ca5dbe8271a768e08dede53e4db62112024cf93361

SHA512
0809578966a26dd7b0a5659443f695cab79fa66df6519829b78a79d9fab608041975c0952407d6ffe76d7c23c4d4d618a234f47bafe7fb9a2b4cc7e7432345c4

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
109KB

MD5
cbf6089ce254f9f1fca76bf3d8a93600

SHA1
a8e1f9a21220ddd5f52a3272a51d4bcaa157e63e

SHA256
b5fb662d49fc84ad6cbccfb52cd645cd7129f990bd7e519535b4aa10e593d402

SHA512
e62c789fa070c6418e3d3dcc7961762bb4252a636d1740fc27abdde1d9f51a5bda1d869020af2fa03c1bf0a77876acf8fc56fb2692fd88185019f00bd1e166fa

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
109KB

MD5
75c033ed323c9e39b0f124c11af00854

SHA1
d50a83a7b7ae044653849d79c5224f13dc375c00

SHA256
0d3ba89004f456231f880cf602b6dcb7bffbc9a073d1e889fd220c7f6703a679

SHA512
ebcc383784e35ac9b58d5010b8fcd0375a9dfcdfe5c23318ccffcef6c530f3d1ba79d78d22a565cbd019c2ca7d96948b23c1f05835b55fc7868aff4eee87a2a6

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
109KB

MD5
de1f18e484a66316cf105630a8db683f

SHA1
6dae231dc83fc7569c82bb72bc05650844ad4bfc

SHA256
8ca1786032f0ce87da857b26f38b008a0e31d77813ff29d79a9307c88a0a0eef

SHA512
ce5bbd4d1421e2de4c8a3208e8afe2286bcd5353eca59be93edede7643af0f5d268234bf8b205bd39e9a727d3158ba981baf25c1c70008e2a1660e0b4c3531e1

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
109KB

MD5
6bf362461230c4c5ff506046651678ca

SHA1
db28fac8fa1b647e0d8989775a641302651cb1ac

SHA256
90dcc922a761591db5e1b37a831db4ca6bdbc3b2ae3c2420641f17e1342ab64e

SHA512
53b78442e6b4fe2b246496dff61ff5f77799b9487686a4ff17d178919e989c349c3dcd2d42ee51472cb77e46433972f6954b997cf92b425cfef9fd01a83b23ef

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
109KB

MD5
fddba6a6460412d48716b3d77ff1bbad

SHA1
93d29560a1ada6d9dca081bb477baec8527dda8f

SHA256
c13b9885a10bbc2f966a52d3905f199629938891be77176117ea9d12b6f089d6

SHA512
4993ce39ac3fe221f1b48a59087f8cd60f5d3737bdb2a91b105cbbe0706692629eeffdddbed3fdc2d8eb57ffee86ed7361a2b367d9d7a96e034909dfc330b049

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
109KB

MD5
4ceb72f3594f5f2165e78bebabf16763

SHA1
d3fb1a0686682681755706a6606d46314dc3b229

SHA256
b584ee1df340401134fb1398db487427de29f6fd4430fb26edfd205fa5c8ac9e

SHA512
ede9ae19c4205d53dc9669e187fa49ccce969f9d10f8a408f4c85d1d99f0ba93187f1090cc95f4d3a19873e1d7746f49ccaa8ec5181565955ee54f8be75cf2a6

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
109KB

MD5
a818ee7673ec6a31ddf41213af4e094d

SHA1
296188fe0ac88584c209cb65dcef79cc0d63ffc5

SHA256
975ca62f226b905112fd0ac3a2be66d96cf4afb6ce1d9e28398fa9d1a8b00779

SHA512
dd89997f528de75e5ca94f75b9dc894ef69a46f145b461e76470360b982da2107d9afd5ad4a6e81d3d22e02e74116a4ddc5bb3126173426e599e2d8bbd7b5349

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
109KB

MD5
b194b9baf971d2962e8adea9677e4d0c

SHA1
8523fbab9ab93c5856d364f81b5b041ac9b3d9b2

SHA256
072d2001b9288fc2bcd1e2052cf30075e56c388e46d224ea54a7f65794efb498

SHA512
e70e6b9a676c10e1e7b8dae76d0d0ed74114bc6ce5cd1cc9800d53b9145fc4cda743896bff1613976e1c7ee8cc1decadb0975299a23ebb666105029ea432c752

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
109KB

MD5
5eb6b394bd965270d106424cbf9b4bd1

SHA1
15058efbb91806de84f6778aab166b194a29ac0d

SHA256
4c5adc1e72cca2b2c3931f1dbda76007d100ee9164d4cfb22234c08dc709dca7

SHA512
407949f476ea883d94349fd9bb6330b4f722e79b5a6bd13d8ebf057eedac7ed9f0547134a56fe3e29780ac7e04ae1e0f5ddb7ce3f96df7d42323395411ffa6ba

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
109KB

MD5
1e33d75f3b45db0abc3003fa2a082a7c

SHA1
efcb67b814bf24d8f1abb3ba581d4ed2dc05865a

SHA256
f21aef0aa278397768963b63c13f4b53f827c6ebefd6c48eef6f01bae5ddd2e9

SHA512
c0d4ce1742530d28ab32e5a70f680e0c28015c0f887d1c8941eb65dea0083fbbe3b0882981d3ef0487246f701df36ed9afb53aeb28c22b96a253641bebe65a98

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
109KB

MD5
0c401a1a5753b256c9092268ff958126

SHA1
5809e80f53a514b5071eebe552aea7fb1b05e049

SHA256
bfd7e4c0e3f13957fb4e29c1f552d451b3b6e5fbdcef783ca69573f9f4819756

SHA512
a7286b36dff6b6c6d3d41fb263a4e5f6993dcd8abf758d3ef558bf230eb622b0814497c1cf5838eec1fefa546b142ef242d73f7db65fe2c0ae985e5d1c1eea2d

Download Submit
memory/220-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/380-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/628-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/964-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1080-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1080-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1244-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1436-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1564-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1924-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2476-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2476-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2816-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3380-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3488-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3524-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3708-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3848-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3900-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3900-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4072-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4312-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4416-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4504-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4568-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4600-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4772-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5132-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5176-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5220-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5264-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5308-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads