192ca93d227187a5fdbd301e019e8eb1051333eb6f24898340374cd6063fda9c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
Size

226KB
MD5

e4d4fe2e7f1009038d90c429b1ed4ce0
SHA1

49424dd1616a94a4aec3433fe2930e1ad469385b
SHA256

192ca93d227187a5fdbd301e019e8eb1051333eb6f24898340374cd6063fda9c
SHA512

6705166692d470f0aa1b0fdd12644799c99e623249208c698e1af77369550c60d844c97254da35298a59c98255425cb9772172bb52021d84fe381a1bd3012bec
SSDEEP

6144:tASMrw4RHh9X2NgwWg1XfxqySSKpRmSKeTk7eT5ABrnL8MdYg:tASMsG2NJWs5IKrEAlnLAg

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfdddm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmbek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhgim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcjhmcok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklcadfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnomjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhjopbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfdddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe

Executes dropped EXE 64 IoCs

pid	Process
2160	Lkgngb32.exe
2216	Lfmbek32.exe
2180	Lnhgim32.exe
2720	Lnjcomcf.exe
2740	Lddlkg32.exe
2776	Mcjhmcok.exe
2668	Mnomjl32.exe
2692	Mfjann32.exe
1272	Mobfgdcl.exe
2576	Mpebmc32.exe
1800	Mklcadfn.exe
1812	Nfdddm32.exe
1608	Nbjeinje.exe
1068	Neknki32.exe
2444	Nabopjmj.exe
1768	Oadkej32.exe
1092	Odedge32.exe
1756	Ofcqcp32.exe
1900	Oibmpl32.exe
840	Opnbbe32.exe
2092	Ofhjopbg.exe
3024	Oemgplgo.exe
884	Piicpk32.exe
3012	Pbagipfi.exe
2532	Pljlbf32.exe
2256	Pkmlmbcd.exe
2696	Pdeqfhjd.exe
2872	Pmmeon32.exe
2732	Pgfjhcge.exe
2980	Pidfdofi.exe
2608	Ppnnai32.exe
2624	Pifbjn32.exe
1680	Pleofj32.exe
1632	Qdlggg32.exe
2700	Qlgkki32.exe
1988	Qpbglhjq.exe
2388	Qcachc32.exe
1220	Accqnc32.exe
2172	Ajmijmnn.exe
2104	Allefimb.exe
2928	Aojabdlf.exe
1764	Aaimopli.exe
1548	Ahbekjcf.exe
2044	Aomnhd32.exe
3032	Achjibcl.exe
2292	Afffenbp.exe
2148	Alqnah32.exe
3020	Aoojnc32.exe
2112	Anbkipok.exe
1968	Aficjnpm.exe
2760	Agjobffl.exe
2888	Aoagccfn.exe
2628	Bhjlli32.exe
2468	Bkhhhd32.exe
2372	Bbbpenco.exe
2032	Bccmmf32.exe
2568	Bkjdndjo.exe
2844	Bniajoic.exe
2448	Bdcifi32.exe
1284	Bgaebe32.exe
1200	Bjpaop32.exe
2792	Bqijljfd.exe
2200	Bchfhfeh.exe
328	Bffbdadk.exe

Loads dropped DLL 64 IoCs

pid	Process
2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
2160	Lkgngb32.exe
2160	Lkgngb32.exe
2216	Lfmbek32.exe
2216	Lfmbek32.exe
2180	Lnhgim32.exe
2180	Lnhgim32.exe
2720	Lnjcomcf.exe
2720	Lnjcomcf.exe
2740	Lddlkg32.exe
2740	Lddlkg32.exe
2776	Mcjhmcok.exe
2776	Mcjhmcok.exe
2668	Mnomjl32.exe
2668	Mnomjl32.exe
2692	Mfjann32.exe
2692	Mfjann32.exe
1272	Mobfgdcl.exe
1272	Mobfgdcl.exe
2576	Mpebmc32.exe
2576	Mpebmc32.exe
1800	Mklcadfn.exe
1800	Mklcadfn.exe
1812	Nfdddm32.exe
1812	Nfdddm32.exe
1608	Nbjeinje.exe
1608	Nbjeinje.exe
1068	Neknki32.exe
1068	Neknki32.exe
2444	Nabopjmj.exe
2444	Nabopjmj.exe
1768	Oadkej32.exe
1768	Oadkej32.exe
1092	Odedge32.exe
1092	Odedge32.exe
1756	Ofcqcp32.exe
1756	Ofcqcp32.exe
1900	Oibmpl32.exe
1900	Oibmpl32.exe
840	Opnbbe32.exe
840	Opnbbe32.exe
2092	Ofhjopbg.exe
2092	Ofhjopbg.exe
3024	Oemgplgo.exe
3024	Oemgplgo.exe
884	Piicpk32.exe
884	Piicpk32.exe
3012	Pbagipfi.exe
3012	Pbagipfi.exe
2532	Pljlbf32.exe
2532	Pljlbf32.exe
2256	Pkmlmbcd.exe
2256	Pkmlmbcd.exe
2696	Pdeqfhjd.exe
2696	Pdeqfhjd.exe
2872	Pmmeon32.exe
2872	Pmmeon32.exe
2732	Pgfjhcge.exe
2732	Pgfjhcge.exe
2980	Pidfdofi.exe
2980	Pidfdofi.exe
2608	Ppnnai32.exe
2608	Ppnnai32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lflhon32.dll	Oadkej32.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Pdeqfhjd.exe	Pkmlmbcd.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Ciffggmh.dll	Mnomjl32.exe
File created	C:\Windows\SysWOW64\Edeomgho.dll	Mklcadfn.exe
File opened for modification	C:\Windows\SysWOW64\Oadkej32.exe	Nabopjmj.exe
File created	C:\Windows\SysWOW64\Kjfkcopd.dll	Piicpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ofhjopbg.exe	Opnbbe32.exe
File created	C:\Windows\SysWOW64\Pgfjhcge.exe	Pmmeon32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ajhaomoi.dll	Lfmbek32.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Nfdddm32.exe	Mklcadfn.exe
File opened for modification	C:\Windows\SysWOW64\Pkmlmbcd.exe	Pljlbf32.exe
File created	C:\Windows\SysWOW64\Nfdgghho.dll	Pljlbf32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Ofcqcp32.exe	Odedge32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Lnhgim32.exe	Lfmbek32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ojcqog32.dll	Lnhgim32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Mcjhmcok.exe	Lddlkg32.exe
File created	C:\Windows\SysWOW64\Dafqii32.dll	Oibmpl32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Qpceaipi.dll	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Afffenbp.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Goembl32.dll	Nabopjmj.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Oemgplgo.exe	Ofhjopbg.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Oibmpl32.exe	Ofcqcp32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Bhjlli32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	2640	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnjcomcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklcadfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oadkej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibmpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piicpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mobfgdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddlkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjhmcok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfjann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnomjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcqcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdeqfhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjeinje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjcomcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oadkej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piicpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mklcadfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mklcadfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nappechk.dll"	Mfjann32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnomjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfdddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odedge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Alqnah32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2160	2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe	30
PID 2392 wrote to memory of 2160	2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe	30
PID 2392 wrote to memory of 2160	2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe	30
PID 2392 wrote to memory of 2160	2392	e4d4fe2e7f1009038d90c429b1ed4ce0N.exe	30
PID 2160 wrote to memory of 2216	2160	Lkgngb32.exe	31
PID 2160 wrote to memory of 2216	2160	Lkgngb32.exe	31
PID 2160 wrote to memory of 2216	2160	Lkgngb32.exe	31
PID 2160 wrote to memory of 2216	2160	Lkgngb32.exe	31
PID 2216 wrote to memory of 2180	2216	Lfmbek32.exe	32
PID 2216 wrote to memory of 2180	2216	Lfmbek32.exe	32
PID 2216 wrote to memory of 2180	2216	Lfmbek32.exe	32
PID 2216 wrote to memory of 2180	2216	Lfmbek32.exe	32
PID 2180 wrote to memory of 2720	2180	Lnhgim32.exe	33
PID 2180 wrote to memory of 2720	2180	Lnhgim32.exe	33
PID 2180 wrote to memory of 2720	2180	Lnhgim32.exe	33
PID 2180 wrote to memory of 2720	2180	Lnhgim32.exe	33
PID 2720 wrote to memory of 2740	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2740	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2740	2720	Lnjcomcf.exe	34
PID 2720 wrote to memory of 2740	2720	Lnjcomcf.exe	34
PID 2740 wrote to memory of 2776	2740	Lddlkg32.exe	35
PID 2740 wrote to memory of 2776	2740	Lddlkg32.exe	35
PID 2740 wrote to memory of 2776	2740	Lddlkg32.exe	35
PID 2740 wrote to memory of 2776	2740	Lddlkg32.exe	35
PID 2776 wrote to memory of 2668	2776	Mcjhmcok.exe	36
PID 2776 wrote to memory of 2668	2776	Mcjhmcok.exe	36
PID 2776 wrote to memory of 2668	2776	Mcjhmcok.exe	36
PID 2776 wrote to memory of 2668	2776	Mcjhmcok.exe	36
PID 2668 wrote to memory of 2692	2668	Mnomjl32.exe	37
PID 2668 wrote to memory of 2692	2668	Mnomjl32.exe	37
PID 2668 wrote to memory of 2692	2668	Mnomjl32.exe	37
PID 2668 wrote to memory of 2692	2668	Mnomjl32.exe	37
PID 2692 wrote to memory of 1272	2692	Mfjann32.exe	38
PID 2692 wrote to memory of 1272	2692	Mfjann32.exe	38
PID 2692 wrote to memory of 1272	2692	Mfjann32.exe	38
PID 2692 wrote to memory of 1272	2692	Mfjann32.exe	38
PID 1272 wrote to memory of 2576	1272	Mobfgdcl.exe	39
PID 1272 wrote to memory of 2576	1272	Mobfgdcl.exe	39
PID 1272 wrote to memory of 2576	1272	Mobfgdcl.exe	39
PID 1272 wrote to memory of 2576	1272	Mobfgdcl.exe	39
PID 2576 wrote to memory of 1800	2576	Mpebmc32.exe	40
PID 2576 wrote to memory of 1800	2576	Mpebmc32.exe	40
PID 2576 wrote to memory of 1800	2576	Mpebmc32.exe	40
PID 2576 wrote to memory of 1800	2576	Mpebmc32.exe	40
PID 1800 wrote to memory of 1812	1800	Mklcadfn.exe	41
PID 1800 wrote to memory of 1812	1800	Mklcadfn.exe	41
PID 1800 wrote to memory of 1812	1800	Mklcadfn.exe	41
PID 1800 wrote to memory of 1812	1800	Mklcadfn.exe	41
PID 1812 wrote to memory of 1608	1812	Nfdddm32.exe	42
PID 1812 wrote to memory of 1608	1812	Nfdddm32.exe	42
PID 1812 wrote to memory of 1608	1812	Nfdddm32.exe	42
PID 1812 wrote to memory of 1608	1812	Nfdddm32.exe	42
PID 1608 wrote to memory of 1068	1608	Nbjeinje.exe	43
PID 1608 wrote to memory of 1068	1608	Nbjeinje.exe	43
PID 1608 wrote to memory of 1068	1608	Nbjeinje.exe	43
PID 1608 wrote to memory of 1068	1608	Nbjeinje.exe	43
PID 1068 wrote to memory of 2444	1068	Neknki32.exe	44
PID 1068 wrote to memory of 2444	1068	Neknki32.exe	44
PID 1068 wrote to memory of 2444	1068	Neknki32.exe	44
PID 1068 wrote to memory of 2444	1068	Neknki32.exe	44
PID 2444 wrote to memory of 1768	2444	Nabopjmj.exe	45
PID 2444 wrote to memory of 1768	2444	Nabopjmj.exe	45
PID 2444 wrote to memory of 1768	2444	Nabopjmj.exe	45
PID 2444 wrote to memory of 1768	2444	Nabopjmj.exe	45

C:\Users\Admin\AppData\Local\Temp\e4d4fe2e7f1009038d90c429b1ed4ce0N.exe
"C:\Users\Admin\AppData\Local\Temp\e4d4fe2e7f1009038d90c429b1ed4ce0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\Lkgngb32.exe
  C:\Windows\system32\Lkgngb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Lfmbek32.exe
    C:\Windows\system32\Lfmbek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\Lnhgim32.exe
      C:\Windows\system32\Lnhgim32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\Lnjcomcf.exe
        
        C:\Windows\system32\Lnjcomcf.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Lddlkg32.exe
        
        C:\Windows\system32\Lddlkg32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Mcjhmcok.exe
        
        C:\Windows\system32\Mcjhmcok.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mnomjl32.exe
        
        C:\Windows\system32\Mnomjl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Mfjann32.exe
        
        C:\Windows\system32\Mfjann32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Mobfgdcl.exe
        
        C:\Windows\system32\Mobfgdcl.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Mpebmc32.exe
        
        C:\Windows\system32\Mpebmc32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mklcadfn.exe
        
        C:\Windows\system32\Mklcadfn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Nbjeinje.exe
        
        C:\Windows\system32\Nbjeinje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Neknki32.exe
        
        C:\Windows\system32\Neknki32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Nabopjmj.exe
        
        C:\Windows\system32\Nabopjmj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Odedge32.exe
        
        C:\Windows\system32\Odedge32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Ofcqcp32.exe
        
        C:\Windows\system32\Ofcqcp32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Oibmpl32.exe
        
        C:\Windows\system32\Oibmpl32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Opnbbe32.exe
        
        C:\Windows\system32\Opnbbe32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Ofhjopbg.exe
        
        C:\Windows\system32\Ofhjopbg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Oemgplgo.exe
        
        C:\Windows\system32\Oemgplgo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Piicpk32.exe
        
        C:\Windows\system32\Piicpk32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Pdeqfhjd.exe
        
        C:\Windows\system32\Pdeqfhjd.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        59⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        69⤵
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 144
        89⤵
        Program crash
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
226KB

MD5
4f6523f2b3c701d2d6f6cfb930136d5b

SHA1
4151d0d2461244175e6362711ac5d9c13f812942

SHA256
0770293fb6da459ffc3e0a0189bf0965c209fff8330a6bbc57d17eb734e18449

SHA512
830c9c98ea920ef7cd7c18e853f777e7051bc6354543621a9623995d4456c1203538787e81d87ed251494e36afb4b0f0c0b47dedad1bb3388dd12bef6733b407

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
226KB

MD5
edc02bb711fa76056056c2ce96e074ec

SHA1
221bbd12cbefb0d2298fd2a39fd8bec57dda6168

SHA256
d19bce8569d082e1e92107f17b9b007313e929814d50da33e340ba331bbe3e6a

SHA512
162ba928fa7377a7aff9758b492a3140effbe8e6e602c55c73a311cf9d80c1970bb640ebc314784953b8f1e618fbbf748d5f54f1dc62b39fe7adbb5d5cd8d345

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
226KB

MD5
c3c2c1525733dbdfad0951b708a3953e

SHA1
8ca7b1b235907831eec72d8ecf28552c6005e92f

SHA256
6d5224fc809341b590280bef27c2bbb89760bc4f5c452e4d4e92e9e4a23e09fb

SHA512
c9bb064c6dfbf544d35c61cf40bfdd61574dee014d501f0f9b84d231da602a2b5e80b87a4320022599e3697e6ec7f017e40e2a0383e5edfde5eb9e92b47814eb

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
226KB

MD5
b27ffe0269272a0e325699b5342e6dbe

SHA1
623fa104a56d655f4958fafaa7bd35774065fdca

SHA256
fb3d962a9ceadf2e1289f5a65b9d885cdae968f70caee62243ceb39f8b3abdd7

SHA512
30c470b91d6757c4e3e7d4040aa814b6445eb8d8effb7b61c59f292bb3bfe4566315d7d2dac42556c26e47f0d45e56d76fa54fa879398c099cecd05ffef67d71

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
226KB

MD5
44ea81b2d4625aeec2a92d6c36fb0fd7

SHA1
1f962e4c843dab062771615bf1e8e96c01c5a2e7

SHA256
eab668e1933e5ed08a7452b2397546c90bdfe11b25fbfaf9c1e2fa3906057c9a

SHA512
f62d4723099ac022832ada1864c009178d54dad3a4ba09ddeb92b82f357d601f9957c1f1230b0c5854826beb37e62b828e8a775deaf98e64d088c4dcede2c56e

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
226KB

MD5
c2eca6dfa3711721c41b9f3f7e7d877b

SHA1
0e73cbefc3aaa8c657d13f8ae98b3208094bc084

SHA256
d807dd292093f07bc601a434369309fa5f43493cb06f676e5991adf691191bf8

SHA512
5415f575f1b36615722a57ed87a96161cf656c4ce2a99ac71e7732574627d739884d27d8591a9b0b4893744546a1f32d468e75eda9b048d15f37d5b06a5da793

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
226KB

MD5
cc3c61a9eddfd4b21b86d6ee670ce783

SHA1
6bf2a251deaff49125f2e7b717b181530c7fb4c3

SHA256
81a816061ce5a269a3fe5bfd3b0ca7632ca89014c4417a1d627bc3f133d48215

SHA512
b372e8519f602787954afea8b71eadb1bf20d0537fe5c7e8fdac3afe80f8f294ef76c8da7450702d893f7654b2296bbd72b5d3b4e3fcb045d3be8785399f3b90

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
226KB

MD5
40e942ca1f54ed288bfb93c7302d9f23

SHA1
367b85f2e3d773b4fed926415eafe31f311dbcd1

SHA256
e60e1dd332f017762a737ec4785405d2c9d61e0d99f013aa9053cf214293429a

SHA512
ecc5cb96c26f7b2c5b71b19370203e9b55f39ed7537a58561e6f5a24f22b318c87abd3c96c5b19afd62a868894dbfdd527ee19b2bd7972097fe6e45855885380

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
226KB

MD5
dfd38b4f8dbd42b9fc8000b72c4579db

SHA1
38a40a226597c7f09219c4a61d74ec8479de198d

SHA256
0f0b56a4b65ac73f57832eda9d4cc869a33efdd26fa8d33cdde0b4c664526bba

SHA512
3cd4b3dfc839f8284ba90eaba620a7792e5e8e410c4ee19c540b71f3ca130fd2ab130a1cb7b20b598328d6a1c027e66e5e03dce8c2f884b14e793d4eebd32eb3

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
226KB

MD5
3dd4fb288b23af1ee010000d262b616b

SHA1
310694964341b53a8abee000cf833c20caad4e59

SHA256
68747f58ad2f5e98c8326954459a1dcbee06ada276b79df57f4addb8ec64020f

SHA512
922f48a85efde7dbc9aa7bd8b7e829f69850fefe207aa0b946b1aa9b4c724a5077fe6b9fb92783fa6d59bc63c1c3951c688b8b37211258ca9db589eb76bf0e78

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
226KB

MD5
0f033a995a2935906200becfbc76d1a3

SHA1
914b5f189d9e00b8eabfc0e34ee6db283daf82c6

SHA256
36740c4608c6a21274b950a1d2f7eaf263acdeefa9ad9ae149620f7ee8fbf240

SHA512
3d815d8a745b5bbd02406e98d0abba8eb40f859111926aaea1d0d85af84098a144edd22193df6e6c438f2f5a909ea29965ed4d4f3cbf4a3065f1b1e0a69740d0

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
226KB

MD5
cdad8012f93cad87bd7843ce1a455025

SHA1
daac3c81a2a73f5cc81ec1e2ce8d0f4ef946fdbe

SHA256
04fcc4c5c88befb7fe38257b689d1414ee01042c0ad11f27fcceef800289e367

SHA512
a333dd51ed70cb20a028a09fc190e75bf00d8431168ac35c23e093a33065eb00670eec6a8214b4a1bb7a2f132918144ea101bce9eda94811a4cc5b2962674ed8

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
226KB

MD5
20f48c48e059201a51725e57c316557a

SHA1
8a607587ee5086abd89a4f7851a0d49282ceabd5

SHA256
e1a1f672ba4ed874adfc34aadabc27612afb45a140e6d3205777e67bafc6f10f

SHA512
25fc77760cb9465564f465716e6546bc35d732a30b52c84adf2b27faba04f442589eb9cbf6a31f072883d9a13f6a1fe90ce2aadead9818f4fb6d5f590e94715a

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
226KB

MD5
0a1e969de5273be9647b6812219864ce

SHA1
b926632c3127b97decb736834e76d4e0965bd584

SHA256
5285f64d5d889cba9667fc0b6a9a9f7eb936d277327232b4f55e4264d07950f6

SHA512
6ed3f555b08a8dacadbd0afd9fa93246a38d3ab1c9067df1bf78967f912531aba99ec69f4db070e2f404d5b10df39c3195fe392af1cacd3d2a027ae69595cdc7

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
226KB

MD5
0865ab8572f30dabde06042f518908b3

SHA1
55b092d0afaae10b3c74dca7dd75ea15508bda1f

SHA256
b9bd6dd9f0b1e309d2da13a9a21fb6dbd7304e1c20ee58328f373f2d308ff73e

SHA512
b6343df6bd7c017545a1c3191e516e08f164c240defe6719f934f88c5de69b3737b3c7f81803af4d920d50a4b3cbe8b26e3bc32ef55af6e638aad173dff6b3b2

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
226KB

MD5
ffc8e2294e4ae7cef17fe7b84f7426f9

SHA1
0d6b79d72150f775ea6f1e49546493e630200c84

SHA256
6e48b0c192a29f2383966bcd1d15798f50adad4d10982c8b093cc699a0754b8a

SHA512
55b166ed3e83beb1ec77f0d37f1b39fe8859276276de8e1b0ce2d2488c24a5509447a2f1b32a3cad13e2a2470251427eb1a8b694d60160353f46c1bd647477fd

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
226KB

MD5
baaeb26b8bbcabb18ddebd01533fb022

SHA1
7c5d33bc364db9a0640b398999afc9a621671bfc

SHA256
0854eccdba07cf814095c09a994cff03afeb8a2d06d7e6a4e2e50efe62999dd9

SHA512
198230019536692728c469bbea49c92d6abe5a18a8848255dc4ba32bdd1b42133b6e053258de6a8a01f9d573bcaad8b4d0b75a62a39f73ed52db6f4c008b6afe

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
226KB

MD5
97ef604d3fa223511075b61dbee063b8

SHA1
146f7113d743f3799c86b9ace56e03c3438d836e

SHA256
6b0dcc8bb8ce419cb392ca50dc52df27033fe055d9cdda9d7515a742ea3019ea

SHA512
a8b5ee8c34d734e2957372a2cb940cc495247dfaafc2734a4bba174fa9bafd8c9a7fd3b1e9aa4fc18b46026823edd7942c898daabc0a0e3e35b803c60bb435a4

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
226KB

MD5
8421e99fd948b68dc3c2ac4a6875b34b

SHA1
f39bac346c8f23b87b4a3b0c6bcbb093c949cbe7

SHA256
d7d9520e56261c847f1a2389a55939904f251921ceffb16652f47e7df80ab07d

SHA512
5efad842df0906c42ee87a787e37387668e2ecc3436292fc523989fd46ab139b0ac22b825edbca956294ed04f615b27fe9a9d3a3aa8d2eafa6f717822ff5f92a

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
226KB

MD5
777a24888a5ceef2eb60dd9340a89c6c

SHA1
ff6ef77c79ff07d7a300707d6170311b87ec7095

SHA256
e0ac474058e2f686b3cf200f87b910113d6d3cd032fc77c99b8e22ed67f51437

SHA512
ad4748dc54e1f7b09ef99e3a51c1d2448f3b756d9e1343804194756d962fb628a6e41fc86198fc5942971c68b87885250d5aefe9b6eddb79590c6d0e24cf5450

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
226KB

MD5
156b8f05502f6e2a3d8662152867519e

SHA1
89d2b5b8cb7fdb2a30929e83f647c3dd158dae7f

SHA256
93860d99918fd1aa4bf303def2814c7a796b189478ae192b53e7892c12e51f16

SHA512
9cd719ecaf6c387b2892eac2b11d062d883bd694d5f58bf2e08a36685e7883abdc58f5f52e9f591f80a08481107c2c5015dd41e9aae4709398f9082956647c37

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
226KB

MD5
c33fa53578302c9315cc048566ce376c

SHA1
8db86e992408f09265a7df0c7a4920eff7729f33

SHA256
4c576873973369e4dff3692b38e6b0a791f74ba104e1db5c420e4252ded1bc06

SHA512
34e71af6ce7a6e64067774c838e968e645fbfc44682ba4b74565896ec4ebfd312e957f20822d1880cf6c5e582f1101fb47cfc32327b221651138e69213f1853a

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
226KB

MD5
5dd6e2360fe1e551727ba141e38c26b3

SHA1
ddb702951daba914a58705e0cbca7c14427a46cc

SHA256
8140f18e6f18f48bd76bfe66cda69d3b4c8bfc3970a7d47466efe817dcfb77c4

SHA512
b6969e2e881014d92544c68de4bbe0ac38ef8a8fcc9754009b27a07f4ef0c844b42e1d7dfe748dac1b7ddf2c351438e81d65962156b9d944210c66e526b515c4

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
226KB

MD5
41ab64d021ec13ddf8be81ae0d2d9afe

SHA1
2790efdd3727501a375c1b3a83bfbad44f2a8aa5

SHA256
783dd41fd6bcefab0b18b19601c697031d3a674d5a659f745bee1c8851bfdb28

SHA512
e5a46d70e115fbdc6504a890784379ce81ead9c99ea0fef77c3ab0b32c8c104fe261f9768976b0838423f9bd38024d29fa9add820e2e47142b63cb523fbd2374

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
226KB

MD5
bf4bb930eb5eece4cc1d8d9a45489c97

SHA1
2bd586ac9822da70de1414ed3e09f35dd966ba51

SHA256
810ee094fa491259b4ad74fabfbc99d8d637010c29b4cb527f4676d872b8db8f

SHA512
6cd08d2eca1762d615bc1c15b7505126c2d5f3bf3b5bdffb1d56fb28b52ac5b9d08b7fe8e5331e520d761e3e7043c52289bdb88a78355580eca2d9fd2298ce22

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
226KB

MD5
b25b88bf86184b97195a55878af25e1e

SHA1
1c05f3b0508b33415141aa666e0139cbef8bfde3

SHA256
d32fe5e0c7eaaec0071ec52cb1a8566122d71a7579c5616ada82608dc7fc939a

SHA512
7c1f1f0be2846ce1fd11c5aa1352bb2a9ba1bd3188013da7573976288b2613dac8d9fa3f1b1a916de0a99c51b506784ff88af92dabb65870484ea99d4a4bf091

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
226KB

MD5
89cacf4f1fa4b370f3363197c0d413ed

SHA1
258f16e82e0acea218ff56eac8f0f43fd020a67d

SHA256
c7be3654b672a962a86c6b1389e0937a4e436b624154405aaa8424b31d1989c4

SHA512
e0674d495cc904ad05912517f474963c088a374821b1a335baa66cf0f5d5847517c22f7b19903ca3481c0c6b4da134e891760bbbb74ce744b4b83eb55a954e7c

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
226KB

MD5
2e7e7e7ff6ddbb87a7b09270ba7c1b62

SHA1
e6885272a536c97078651f5d984d546db45ca790

SHA256
8d4df9508b19d5aeea0e7d4be8708ec375e21fcb06f0aedbbefefda2b5ea60b6

SHA512
3d45770d5dfa12bed9fdf2a6e3b958783c3962db6f8835b0e32ac0e52cca1118c0d51df392a47359c17b23e90e5a2180d240700fc883bcb1b295a369262553da

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
226KB

MD5
18d17597445262513e136f10107d5157

SHA1
3f7e772f70fb6eb685d50882a41da60c656db6e2

SHA256
0a9fb8d4967e7b7c522fb9d3e087b11cd9de4a58191a255c3ea1eeb74d8ab91c

SHA512
a660dbdd95c7ee7a4c4347ccdd007f829d9d414e67161413c537c179ec2359e31f52e405024094b9458ae644e84479b6b699cd74d70bfea6ddb52c42f86f5843

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
226KB

MD5
64ea6451fee17e3130e2446121f49dde

SHA1
fbf4d3693588ffead7a0ce81ddaee634d6e88e8c

SHA256
4ae3edeb59446464b3aba930b8cb3461048ecf139aac63ea3ae7578f42a29904

SHA512
a872fd891e866ca4f8bb97648ea772d7aed95a24c6112a27aa5d7250992f9acc68b9a40bfccb090478c55e8b532027e0b144dcad4a3bfd5f9ccab9bfd2dddc8d

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
226KB

MD5
f7e3793ab054cd31f49676b9cf3e4cc5

SHA1
c93219311f70058e7422a4f106a90d106459e1c6

SHA256
77ebc0fcb6526276299f6372a61991101742b0622fc3130f0a30f7254353eeae

SHA512
9876598ba53f648dbb4b342f6c6d8a6ae8498c55d60d8de1bb7a77c5a5facd2b5036f2b613ac1eac043f391ba390fc2eb0f3fa81f04c2985492c0ec7fb509763

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
226KB

MD5
6a3692dd4b0ddef6a0d7d6ebb0869647

SHA1
fb0842b20795350c46adbff37eb30efc8387bf2a

SHA256
37313584ff4b73d40c7aaf57b06b6097d70b15897d015194fef5abd5abd9613c

SHA512
e5de7fe4f895d20bf64faf30b9936d3176e946b105de43e840d558767734f9d394c95e86ef6c2155dfdb7605ec0817567aca6ccf2ec61b86a14533eab1c88f57

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
226KB

MD5
438a7af5eff5035d39d6ffd1a2486564

SHA1
6afdda71ffdb29326d617f95ad26819f3a6e10e9

SHA256
d56e34745150fd67389d0c9b3048e441405fcf415f8385e21ea843e50491b47b

SHA512
38be813361d3906468d5fa3fd7fee380019c8b44bf3fa0652c2c0442cc01dda2af5dde59d22bfcb7312a9cde8fee628b49bf4b558007b213a02ec7421351ed42

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
226KB

MD5
24465f55ffd00ea993f2a0e8f256f452

SHA1
c2e76357f84e284b8a3839498f2d0ada8232d2aa

SHA256
bfd92a0652abe0535ab47fd7532cdda3ba3134b7d223b04650310f09ac3015f0

SHA512
602144d64c7f51ebad8df06b38d05fbe9be5031c6e0b5da2c2054182c91a8dee7bcd5c368dc050ab5498bb2ed1777375142aed72f710e5d10db0ac64864f7f09

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
226KB

MD5
0fa17b113784492ac7947441507700a0

SHA1
b86aa8555c9ef3b718f011fc6bd515acf9fccc70

SHA256
e78eee0c218c763f8b7508790abad9258d5c2fc167537dff304931fc151676a3

SHA512
701cf8440f491d9021d0f915c24347af51f013a0cc8b4e5f4ef6ce0d211f3ed1e95042fbba68fb0ee53ce09750175dbf076c1501b3e67483829b92edae1c6554

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
226KB

MD5
530d79ed23a66b142a5a847619f6ce9f

SHA1
953320130354af6c0a4a147388412902770f52ba

SHA256
bfa0b1a714f5f92ebadca7c84c727f4696ca0ed5f84657ce4a510df426fc57d2

SHA512
bf4e8e153eade89f42c46353b815ea2ff618c4adf82180ed9a33765391e61c7ff5decbcd9819a4c030fbe028eb9e2efe1d22006f3d1ce76a752c7e026ee38c5e

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
226KB

MD5
5f538dc5ccd16511db221af19a279e34

SHA1
40ae7e40928a9225f10a08f635c29b68e1f6eb71

SHA256
976a484d4a58bc63af5916611fd5914030d904b9d47ced8234d911abef87dac3

SHA512
d47baf3cf39fb8e699c8b737bedfb10f8afdae50513b303b709f6baf8e3d69c731687220c8c3fe677debbcb5b1a81c35a8a9ae059731e98481d6262d1efc7279

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
226KB

MD5
19b1e78c8f178dfc531e0a8c960964b5

SHA1
3396e50e4c55d28e527efecdc90cf4c245a17ce9

SHA256
0a58d186323270dbf215c3d3677f59488a6e8b8daef16365eea85765fa506259

SHA512
c1cc11c662b1eb13f8f2fb01703478262cde5b64a9409ddbec5cde77b9f78a06640e9f7a2007996d0b9b9e6920414c4c661ba2c8e1f780d485a79b795eaa92e6

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
226KB

MD5
d151dcdba12281a69533fd7170b4dd4f

SHA1
1cc31a170ac6f53d8f5e4d8c87f7a5accd5b6b2c

SHA256
a5d7356cbd0d740aa1cec7fe445cca4a552835d7a9ac016d59403a6f619133a5

SHA512
9b9326d19cb383b2c6e625ef84883d2a19766fd13ab166bd8be753d3a9ce6b3b11c3e48e76602fd55f7fa10d2c9f003bf90516846ad021816c268c5c83593ed1

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
226KB

MD5
cf550bfe84ce921b92f7aec1387ecb3e

SHA1
1c5b0cfc47873296426af0f96ab0da6b0185205e

SHA256
c4a2c30c899fb11e26e06482538a760295b5955310b3e626ce73d0a1cfddd342

SHA512
f36c0de55df519eea75ec081a9ecf040c7926f557a0ce05b237b2af60d752c85bc83abbf9c6ebe479116fb1e6fdab909a290263d07ed56b65c0d9ee7f76b8e9e

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
226KB

MD5
a913244ef8019367a62011e670c65385

SHA1
98e39c4d9e559da48efe80cea24ed18fb7647e66

SHA256
b039e2cb59b0c07efce1f861fb491887f39bdf5150781eb8df124b0516b5a007

SHA512
a719296abb9fadcc4993149d2c521c6ce91bd2f060ec18f0dfb85663fbf5261aa001b6beea082d02ca2b1a5d0ea04a8b098a4fed01c4530661f042c0e7d7e617

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
226KB

MD5
b24f3d0a0d9edf4cc7b60cd2489c8af1

SHA1
16fabcbdaad141fab88e9fcc9373c107ea794ab8

SHA256
0b8e4883d892a34fb22f6dc2e80f1e5e92bcca301974068a6be672edbf609934

SHA512
015e2234b65fb291778f9683352161f6d18b13cdc819d2ab27571e5b36d13984b864624d9788d28e09fdd0178943f55239b7287a025b917887fa9167f6f8da63

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
226KB

MD5
a08dbff86bace91eda3e206fa9a2d741

SHA1
f685a903bcb09e8c92a82678aa8b7e902a0409c1

SHA256
2d143dc756e2d9c147673e14c745f82e82aa642c7583d9c7db95097b027c250f

SHA512
8742be4669ebd8f434842f2d25755a2cd1cefe03d5a9b9f2482fbe8d45542a4bbe66f4106bd3689b9911b3c24d3d9b1cca65052a628c0634370c7b5160d0b8dd

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
226KB

MD5
b4db43897ba717f6487631b9ef2d3b98

SHA1
8be8819384214dc2c1e74d42f36ac00e96b70c76

SHA256
18492a64819436ac584817cc03ccf06a2dd9e5fd05ab3e5da9dbe158ec3a5bc5

SHA512
29bbce248444b4a348e871007d49b5106f1d12b92757ef4e5a2d23021965415fefbddeb060daf3ac3f35b194058bc3c0de4e705e3ef770f11fb0fa6dd035b9ad

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
226KB

MD5
ce3ceff6fd2d09e89951176d88d6974c

SHA1
78c19a80f595b49b112bab44d4ba8067b6f08c06

SHA256
71b36ce3e613e9406e11007a064d9f90848d04ebdf19cb917cdf71b2b26dd9ce

SHA512
05a3db9b3a83ee21dfbd8198d337d1e788d33dd0ec710f846f47a6288511938c5457672eef3a44641a09cfa6e1c9b5cc0e2d5c32c03b45a3648110e2271c50a2

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
226KB

MD5
cea81dca2a88312ee2377077f0db4460

SHA1
e94c90f1327a52854519ba5688c89cf5bdf41eb0

SHA256
3dc6a2143bf7b186a6747ced4f014c4f605724a47e97e7786e0ae488a5a694d4

SHA512
f39edfdae044209da8d8c33ef1b591be85b06ed91bebe42fdb2416a13f513433dbc023d53e5db0967b6508f38c1d2cda56f15ea2b9c45aab9d017cd46ab4c4e1

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
226KB

MD5
7e5ec14bcf8c98566b5642e72bb56884

SHA1
7c1830849873acb5074c694d96a4e4ed8ab82efe

SHA256
2cb1c4a45a090543a7f6049559487c38e81e09d65e623669279478735d7b3b6e

SHA512
01470704542325b56c2672fda55585c5f64a1c12862e067a46cecf0629abfb5e07170dc6ac32a61d095cec458c282e8fd9e98290c7e760d7c0477dc19492a594

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
226KB

MD5
12deb7ad2054935b23d80613af11b8f0

SHA1
5c6dee69b0f84cdc99b0bda6513921fb78bf03d9

SHA256
68ffbeb9a913f25bcf52ff78904b0b6a7de6d0b1f152cbfbccc62e2cbe82fa5d

SHA512
1ce429c1a862b72d426cf53dd32198a4df19ffa1dce6103c1879c22707f0f1ba33cb8193f3cd36b2241572220129a672584e5f60b1e8e108bde49319067f2cad

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
226KB

MD5
7848ebaf44d7bab793315407bf23cca4

SHA1
f8bdb311b4ff4516f3c81e278d54d03676e41abb

SHA256
2a1519b2619f45f9761088da2de391a516440f6a4ff523f69842faabc1f7288a

SHA512
eff4271b62d64230f98e5fb68020324686a00af00f62c43dcdc58f47bd250f2afa1cc3ab7af4a7a75baed53a0da93160e8d100da3ac6c56e1ead454040eb8855

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
226KB

MD5
ddcf3cc16bd8762a811b6cf8f011cd48

SHA1
5068a3824cdaac52c0023ed79a919a3f5a5bdcd4

SHA256
70565924fd74406bf84e50d102ccc2beb62ed3ca2f71eb774d49176e4ea6f0dc

SHA512
13babfeea809b71dd7e36ed6ffd74c722c6e4168c8acc12da9de18c65c1a3e61de4c593c44700057c66273bdc33c7471b0641f65a6215953c3837b84417b3080

Download Submit
C:\Windows\SysWOW64\Jhjpijfl.dll

Filesize
7KB

MD5
72e3a9cf40af1ef8386b3502494df05b

SHA1
3936984e0afa0b279d9d4866a3127b044c8267b1

SHA256
eaf86e3a420d79b6a7e5f2f3e761db24abef52b00fea41f7bb88f906f0223ee7

SHA512
1103d560d49a4b10e70e16f45e3f63d40c2a776163dfc4c9ac488d1f209147ea09e73edbee056fb93c6ca831c71bdeae60bf026550995608601879ca0060c978

Download Submit
C:\Windows\SysWOW64\Lddlkg32.exe

Filesize
226KB

MD5
ce1475dfa81a8fe6d93246908d275380

SHA1
852aec5b9025a38710410e9eea32ab89ed240de7

SHA256
c137a26f670691ef9dd001fbf728909429496263fa98a921c26dbdba8f9df49e

SHA512
6c58debc4b99dfd36dd4ac3b7c2aebdf26378799ab388f229f6bc4cdc29bdbf38d25ab12010a72fe76a723929202bd2790352d2de132cefb13268b411fd4002c

Download Submit
C:\Windows\SysWOW64\Lnhgim32.exe

Filesize
226KB

MD5
480db5d7a1cf058581daca3136a9069c

SHA1
6f2c9ad53dd57c513fb2ef0f399df78ba24dcbb4

SHA256
63f0e09f281d6e11c67961c012176bfa02c7708b2ef687041ce539d56add6d74

SHA512
52ef83321ea2fa741606b432c4f1cf74aa8a6418cda3fd582c45aff9bc240557cb7f9920a6e033346848f2a22632145a1e53c6c9e18b6920f5be0b9230964da1

Download Submit
C:\Windows\SysWOW64\Mklcadfn.exe

Filesize
226KB

MD5
6a2c33fdef1014654f969444565b8569

SHA1
d6a44cd63d7eaa2ac3050ed35382f7d247c65d3c

SHA256
49756e1271f6623989bb5f37ad9101465f3d5c0c5deec74c372591b4165de8d2

SHA512
8765980732332326b8f728ec9ff96b868dee1b38b5961e187b6864f3b3d993ea8af2cc128a98dc8c5477cffe3dadfd9fff61a63964992baf6420601dfa7c2125

Download Submit
C:\Windows\SysWOW64\Odedge32.exe

Filesize
226KB

MD5
420f05f59e01a0ca43231c1be96b53dd

SHA1
cdce2e524ed302fd22ceedab50edd6bf104b6827

SHA256
f121c0ac150cdf5954121a0580c826f72deec37f88dae8cbd8ae57bd0780119b

SHA512
84b9beed00579b37d6dfce6e1b01c59be9ebb922f249474da4632e5ffb6969ecb4025534cf45ad069ee2218e93be5c7fa6f77ec79896bb1d813f434a04a26403

Download Submit
C:\Windows\SysWOW64\Oemgplgo.exe

Filesize
226KB

MD5
f660a7beee5104ae8e3c6f3ba3467f39

SHA1
411045b75197b32cae6a5c82e0a52f93796fc761

SHA256
06dc870e33dea4ee6eb6ce7e9f720441df3c1f923df1ed6b037da6a0ac9defd6

SHA512
25bea5234cc0f7aa7091c58df0fa9b07e9877150c934b102374ca0c0e20f59af10cf80029155ad40f5f9c933628bf4070a744233b8e1e182ee6453fc938f165b

Download Submit
C:\Windows\SysWOW64\Ofcqcp32.exe

Filesize
226KB

MD5
9ab551fc322395ad615282b8ed63a87d

SHA1
0ddde51015e77a7a4ea15a023e5da73e6fb9295a

SHA256
d1bc8cf9f993730c4ef97267db102f801f0b05faf021856f6ece48a7aa49a4b7

SHA512
7e90073d1d1291802156ff065a753599733eea2ab48656fedfa53cb1ce0ea5edba50a1989bd63ddc48f175ce0f8d6319d20ef9bf120eca2518af000012e7b9db

Download Submit
C:\Windows\SysWOW64\Ofhjopbg.exe

Filesize
226KB

MD5
27f185ce7e24b1beb3a1081951f97fe6

SHA1
fb5d517f0188e6d33233a220936167c0e9bc958f

SHA256
63525ea2789806009018d0d9d433102d17d6832f447053e907640762441ed663

SHA512
8f2d3649c7847089b3f4905e1a9210e171311174fad1eeacf301d9c843588f0f3391385c4ed2594269d15bd68981119d514fdffa19b2f26fa5aed7a26201198d

Download Submit
C:\Windows\SysWOW64\Oibmpl32.exe

Filesize
226KB

MD5
4d51c99a1a67678500b9a03dd06674d5

SHA1
0474c87e2600ff7e573e895ccb07c085795c3d18

SHA256
0d4624a3ecf054b532421c51083122a9363902505e0b29191a439d8a5920780e

SHA512
2d8938a320293425d1af0cb54d5c53423f48306dd8b264278dc56a34defa683ea4e67af1e2da1c3d4a1e8a239fcc7de128398be6e05c5438a92c81990e4919d4

Download Submit
C:\Windows\SysWOW64\Opnbbe32.exe

Filesize
226KB

MD5
8b3d54e96c3afa0311c91fb374c745da

SHA1
497acadc905c5e4dbc54b5ddd616d80175f526ad

SHA256
d3c6e73a3d515f8464482657ab9acc902de4191327473638b320dcd55424797e

SHA512
69ab412f91cdd01937d5fe67e748c078eae5b390c25c0fc554a16e8fb50f467a87c956250bac75a6d833c96f061964c45e339a5fb98e225433e1601b54777c1e

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
226KB

MD5
0478522e1324b0953232a3c62798028e

SHA1
ecb114ae9334ca36d2ad07a699a8ab5d02f073c5

SHA256
7f91aef2fca8cd2c32ac893b8ac38a3533ffc9987b7370eb702eae9e2dc6d58a

SHA512
0d688f0b79824391093136858b377851e88633fe80676515809cd29d9240fb066438fd62183dda0355035675651bf2d2ab0e6432b6df096d6470cc929eb4cddb

Download Submit
C:\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
226KB

MD5
1dd4ca2be98eb3f6b8c3624ea47a0062

SHA1
e95ad22f849c4922c931c589f5e03a14fd6bb2b2

SHA256
4af1cde7ff1ef11c80277d6a51f98182b97615babbe84032dc9f558cd772fa74

SHA512
791eac65c63308ecb687c0bc06a70d5be4d319c090ce7c799db2e67effd67be51ea746023513f00746ef7b8946f2b6906284996c8fd8f714613cc4a60a7834e6

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
226KB

MD5
28836aaa1420e770177d82805a5fd508

SHA1
9f6457b10ac120314ab52bce0b3d211a649b9712

SHA256
8c70e1bef55d2042ae5bed550b31ce71f1111fa0e48210ed8009e7a8fea8524f

SHA512
79ab1f4bc5bad20e4edc01404e62417650b60e7272ce0f7f12a2ec9902e0cd673103d14e09ad86225035b22e1ca359160bcaa975cca0ccbd1748ff96d82172ae

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
226KB

MD5
d185943103185f0fd82d1c06402669b9

SHA1
7feee9af859b5995c35d5338ea224028b8fbfc74

SHA256
2b7157918c5ae9975a21d24af15943b20115c50dbd9fac34de39e0c7ac66b6eb

SHA512
91f221a2e361da6e05dee8e7183e26cf70c00d0147218c828f30b50757ad43f6316c8f7262ad9ee7a76533694bc87c12cddd34ae7e87721ae4952d0298fdc88f

Download Submit
C:\Windows\SysWOW64\Pifbjn32.exe

Filesize
226KB

MD5
20f0067d9109306438fe98f7736e7a1c

SHA1
59c0d5897903cb4655aee54c45c1961987310bb9

SHA256
1e54a340a0e573b93c6e3610edc648a739230ddd32ef985565be3ab5ba16a5c2

SHA512
5148f2d90eb2977bd5e9b750624bda4f4e734960e70822654c8fbe29b32e822aae7bffbdc9e1a38cff4a0732974fc03f479556d31ab16b844c5ba4d70ea57a3f

Download Submit
C:\Windows\SysWOW64\Piicpk32.exe

Filesize
226KB

MD5
45eb1540a3e5769fa29f5438daab7081

SHA1
28d7bdb8f35c4992d48f9ada1991e92dd2af8e24

SHA256
6c53a5b2230a3c9bd89b22093321e0d6442bdba25dd36e014904c53a220f44c6

SHA512
6a62ca63cdcceaedbdad3bdb7e884e4c4cef020d2836aa3cbb6fe792892474d5c4c520f7a840ab0bd86a4eb7360d1c9df0357d476101335c7942ccd646edd68f

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
226KB

MD5
a4389357c0778bd5c98a3bfd0a30a13c

SHA1
2056377a9e6daa1f228ee268c77db98c25c293d5

SHA256
16ce29aafe9d6a2e1601338b1c4102719f5e85eaacf632becb3bab9f8537d0c9

SHA512
3b31afe37a62298da6fa6f3c7f939a9704c7eb69386b4392d266f69046b01f2f676b15be15718920e8f6390cd985ebe7fab844ef03c8f8f9d9ad39fcebc7a7e6

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
226KB

MD5
9f1d47b555f3a593fcc078efd5fd8264

SHA1
3f26bd23eac61c385c4cdfe11091a507e4f2affa

SHA256
3db9c3b7488b8be03841e407b524d291fe3c7c5d02e34141fddb4b76171b7cd8

SHA512
0515b9281246d8acf70cf184fe933410fe16e47a783ac0354a88f1b58982f73ef6df629e3815ed8f8c164779688454ef741ca59249ef68fdf0b50d3a1a106e53

Download Submit
C:\Windows\SysWOW64\Pljlbf32.exe

Filesize
226KB

MD5
32babb5e936fa0a962f16fa058524c85

SHA1
9f46a4e7f3cf9a0fd8aa7fc6dd92a8f15aed8047

SHA256
79f094047d8c9efd88bd7937e6695435f5fa0672b06801b9e83d3c4639be0020

SHA512
82712828a990a4ab998205544317855b732e22f0ca78acce30583a20c12d3b71be4ded78c9bb5a49a0ca9fec9096b123e73c72c97fa8b90f3f030837e3d549db

Download Submit
C:\Windows\SysWOW64\Pmmeon32.exe

Filesize
226KB

MD5
a3927286872a92b77486ab38f4a4faab

SHA1
2d67fdea61f8104bb893b79df0a11d894945d762

SHA256
20d2ac91c12570bc2ec65e0715c02c199486cd8f953385045ee9ff210113af02

SHA512
5fa13eff9c0b0647378382b1e26707b49acb62bacb74499ace8a3705a52da3ba8bf2f48cc0a34cf77bb34e66561814a7c2794ee0bb62e14cceea09a1e80027d2

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
226KB

MD5
b16281c4224b66f2d195cf2aa3defb4d

SHA1
5bbfbe42bce2e74347a1854aa2c8086f7d99f6c2

SHA256
900a05cf2e9516035573a74e6895a5e310a3348cc8b5a621a81f13a2be546ba0

SHA512
a3c2dfa436759c9fed58c2cdd278dffa042dfc13ab1777fe5c535843e72597bedaa8cb96c8299a6ada053df27e9efd02a42aecebd37dca70f0b559d2cf447ce6

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
226KB

MD5
a5885e29dba0ba616c719155f6485e83

SHA1
9b683c37912438b4e8f41c78f13ec3fb7bd93c93

SHA256
cc621020fe507a3e5384d1f55b75629a2d7e8f7c5cae073b4ed9ce4da81a93c6

SHA512
7dc411774da612490def6bb2c85348d91a88d17a18cda2ae35e8ca1fdca2e597a16afd290851d2bda762cd70e3d98066cefdb70922d2f034b6a99b40eed72e64

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
226KB

MD5
1a23c8a34b14e90379f46e6eb7057914

SHA1
7605019c406dfb9d86c65c770eca737bebc8be44

SHA256
bdbb1d9bba577c036e9f3ab719e3a080340966782f5b414fa6812a273f19c377

SHA512
182330ee72ecc61dc5c8608b6342c2b8cf83d278087d7997d4430c51463185da1c9ce873458a23ab2f30b04dc63529f3bf1e366847e90d04602ffa622514de15

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
226KB

MD5
7b254ad8014bfccc8a91ce8e87b848c1

SHA1
e36397de79928d47d271aa222602068e9c22f165

SHA256
de90a0407fc073e8b4f777135ae197fc443c8c63478fce1ae3c47e27abb1f7ca

SHA512
d90982c248b9102b986abb7b3a6703d61537764a9d4531aaeb0207683a9b24432cc84b532f7d0f946e500024309016994b7a484fbafda1708a89dfdd96e86dad

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
226KB

MD5
d32f1e637210eec5298b0a3de8295efa

SHA1
473a1fa88c733d3b0173f55580f4fe2c0c6b8f73

SHA256
4bb5397ce355d4d8ed3806358a60bd25bd58ad39eb6ef0e070e172433824160d

SHA512
aad225e302d1f7d8559162977a711f7560951884eb9d74302b08e03d19527e3e1707392530f1bb6359c67f295936b90e29ddb9492e13a16fc1ec5b10eb2ae118

Download Submit
\Windows\SysWOW64\Lfmbek32.exe

Filesize
226KB

MD5
529a83a5695a3bd6c9b60e441a9994ae

SHA1
5f215352637551181a173357ccd7e230c19c6521

SHA256
804d124ad7a373b1d25eaa948aa5286902e116d6fe5a6df168cb510b7e57166c

SHA512
4e35a7fd3ce3a71d5f28867dd7c46749bc7b46dd32a06e966d6b05ca9d26584ff8c33fa26e5ab31d361dba5c4478a3a1c9ae5f68d42879481b544d7f1633de8f

Download Submit
\Windows\SysWOW64\Lkgngb32.exe

Filesize
226KB

MD5
da2c0088eca1a513c7de8d4870cd0daa

SHA1
34f3caff40607b6164fa5aa2a624f39123aaf05e

SHA256
966a62e3fa536ab305ff95e144e54a41f187d3934f58330236a645325b9582de

SHA512
496b32192f4439a1b6311eb11a89aded4c42dcf5a073b468fc8ddd048a4b50a67ba6dd3dfc90fc82b89feab1089e39ad13388c2a1a50e45cd33d023c9a13acd9

Download Submit
\Windows\SysWOW64\Lnjcomcf.exe

Filesize
226KB

MD5
f62534a3415ed5f3b9e5b0581e6f014b

SHA1
e2d66811d29fe869e58dc304a6363fc948cb7c6d

SHA256
a96cdfca006a4d52241f2efdbccebf49b100a456efa7ee6de4bbba5310558549

SHA512
87a96d89a7660707bebabc6760b4f22b3c0baff51862aba864a42ca0eb8b4559db4c7450724a13064ea450ea71f55e82bf02eec3f948a7314c03e2dfd9e56e14

Download Submit
\Windows\SysWOW64\Mcjhmcok.exe

Filesize
226KB

MD5
f238d28163a3a6b9b506dd5e1e2f0d27

SHA1
2734d8a4b912bc0c92231b6ee91635a706b66727

SHA256
49a963de88d3637c4e0f9887778950e16d2abad5e5ebaf5e0f13aa309ebae920

SHA512
4d4189e4596b6ee294e3e8003e344d9898aa2c0948540cc3cd423a838936b863aaa51f68c77c7a0180f4b61a0b531947126cd6f6c281bb607717a8c9e3a3a55b

Download Submit
\Windows\SysWOW64\Mfjann32.exe

Filesize
226KB

MD5
83dc74371d8b6ace95bfe62b1d796b12

SHA1
292d7cba15d6f79ab0e12bf21946f12062d7f892

SHA256
83920f8c8d8c6b7aae6d46b911f6dc0128c9402a82da9ef40ea1e5645d3ef2a9

SHA512
158b271f7dc71de823a3f1a7407bb31c93c1cd05257bb28e9d585af9c7376d78eaf2c10171b5b2d0865cad24af98d4f9bcbcec475a41e200aefdc8be1569dd41

Download Submit
\Windows\SysWOW64\Mnomjl32.exe

Filesize
226KB

MD5
bb1551dc85bf549f48b81e249648c7c6

SHA1
58df07e953e8da60a68fea4c900beaa6f2de802a

SHA256
8d9f3cf2c7b09793198c2a130d248b24df0e26635300277c54bb4eacd5c2a093

SHA512
6e231ee805ac175953b6b1ca83f54bfd45490809a6150b46bd9d0f3944297dc38335a44cac4ebaa998e0d65f0e8722ada870ebb2689f2edc60adb623a8144747

Download Submit
\Windows\SysWOW64\Mobfgdcl.exe

Filesize
226KB

MD5
494153ad8544e346ae5949780744ccdc

SHA1
069ecc3fe1d533c8c9476d9ff4727d2bc4b120ad

SHA256
56c2b76c35e17c933fec5463857dc7973f4cba7c15ba85df95d429de623c4d88

SHA512
f6c60c9fa90c90d03ef471b71701a5b1e21c0a09eb76fcdbb9e69b9486e7afb488b6cacf9811a2cda15b5b273e1bea48930eb9b968e693b719f72d94ade72e1b

Download Submit
\Windows\SysWOW64\Mpebmc32.exe

Filesize
226KB

MD5
8d830d459c50048d712652f2ea0a682f

SHA1
0bf8b21b2d4c9cffa648afcf03de55b184a47072

SHA256
d60c7919b1aaebc15c4c78f8798cff6bc6a0b564a6d9f484702019ce0b8a2610

SHA512
bdfe66e6aeb4e96f4178315d426a1bab11f783f0436dcd8cf3b3fcce178534a7a354f37f0e4fb6b9b02dda5327a1714ab10f007f6ad802cc52ee2aa43f132755

Download Submit
\Windows\SysWOW64\Nabopjmj.exe

Filesize
226KB

MD5
b06cc4c5f41ad0b9031e560c56d7ba9b

SHA1
8247f0385cc4aa299bbcff60471c009de50fce41

SHA256
af696068770973c84302fedfffc06ecc63fe419ca0f6e848abcf7e6da062af1e

SHA512
37e1c30113e3251f0dedddf105dc2ad519b9c572617be09affa84c3dc27c1f42fa7397499e41d8191c439b4d0e53dc0d97724e000c40152557a1be50b5b2044a

Download Submit
\Windows\SysWOW64\Nbjeinje.exe

Filesize
226KB

MD5
97b717b39af28d6bf67ecd01ba0a22a2

SHA1
205b3fa2d020cf3436ebdbddd3bf68614a76ffc2

SHA256
c69ed8e8ddf2be334391d98d71aca096c5e2d218bf1dc48db8f02796c12ef74f

SHA512
743e1c1213adb839fda2c3818b7354ebc720bc0e0124bc982d2798767995f6c36ab0604035670da47526805afe0ac6a6092d86fc2aec46eeb1009b24c549adce

Download Submit
\Windows\SysWOW64\Neknki32.exe

Filesize
226KB

MD5
bac562dfe363f01496b43dbc259884cd

SHA1
a2ea0980b34f580d8d1fa1ab3037a09855414cfb

SHA256
dc98921cff26b4fecc7e2b1b02c9925516b8753c1f7bfff339d2d47b8d2b2b23

SHA512
d09182c1a2e9f47f4a0bbe2f7b2ddc5e9149ab6fa1faa3d6b6cbb7d93c8705e3fb3ef7ec9b0c9e96614b199373f351fe301ad5b32797ab9fc51553fe0bdf5f41

Download Submit
\Windows\SysWOW64\Nfdddm32.exe

Filesize
226KB

MD5
571ce04b78831b26eaee0c8ed0f0dbb1

SHA1
8745f4f1284dd2d157cddb2b764e1da724cd35e1

SHA256
8b74332d4fba5c3bfe49933d6d05f2d60e79bc556a721bc5a299af39fa018fe5

SHA512
993192dcb7e737edec35e009f566ac4d39ca920274c7f117611c0e1bded5ec0e11e004e0e193345cc16cc96263efdd1bc1af2f06cbe5069f4313a236d8590389

Download Submit
\Windows\SysWOW64\Oadkej32.exe

Filesize
226KB

MD5
f17bacdc89d73829c5eb7054510b795f

SHA1
b1cc6d5a70498885870a966027051d8aed1e00a2

SHA256
b0d97a3d7e5b219787ed9265f18cae61bc7aa598b30036f4cd95e8e70b886c73

SHA512
cd27bab3077fa3e7cc1cde009d0539107cdeabd71ef2332ec55c8bde009f88b60adeb555463d66e42d1b55387da30c65d44cd3dfa8c9b80151caa116eb06207e

Download Submit
memory/840-273-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/840-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/840-272-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/884-306-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/884-303-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/884-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-205-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1092-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1092-244-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1092-245-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1220-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-137-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1272-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-131-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1608-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-187-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1632-423-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/1632-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-412-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1756-248-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1756-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-230-0x0000000000460000-0x00000000004A1000-memory.dmp

Filesize
260KB

Download
memory/1800-160-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1800-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-174-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1900-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-262-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1900-261-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1988-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-447-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/1988-446-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2092-283-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2092-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-284-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2160-21-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2160-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-59-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2216-40-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2216-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-339-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2256-338-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2388-458-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2388-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-8-0x0000000000380000-0x00000000003C1000-memory.dmp

Filesize
260KB

Download
memory/2392-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-214-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2532-328-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2532-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-327-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2576-151-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2576-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-393-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2624-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-470-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2668-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-103-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2668-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-122-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2692-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-349-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/2696-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-350-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/2700-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-431-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/2720-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-372-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2732-370-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2732-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-76-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2740-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-440-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2776-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-93-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2776-448-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2872-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-357-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2980-381-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2980-382-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2980-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-316-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/3012-317-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/3012-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-296-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/3024-294-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/3024-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads