335ff1b4299c2b647e2cd64019b48e28bc9de04537a6822490835074d5a2a08a

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99ed2c0dde4367c8f3e7913d693e510N.exe
Size

128KB
MD5

b99ed2c0dde4367c8f3e7913d693e510
SHA1

8efa8403186437a99959314843fdfe49d21f00bc
SHA256

335ff1b4299c2b647e2cd64019b48e28bc9de04537a6822490835074d5a2a08a
SHA512

f84ade15e83f4a7cb04bfa1449d69e30ea9ffff3d23e5f85e58ffb94498933ec5a91b61480bad6f109461e1752e4954f03a9e6bbfafab4458068970c5f6b1777
SSDEEP

1536:6VeWKSaoqg4yHd9zoCw9AufzFQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZM:6Vtd1AOufzMKG7UDd0pCrQIFdFtLQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe

Executes dropped EXE 64 IoCs

pid	Process
4872	Kpjcdn32.exe
3580	Kfckahdj.exe
1724	Kibgmdcn.exe
1896	Klqcioba.exe
848	Lbjlfi32.exe
4960	Liddbc32.exe
1656	Lpnlpnih.exe
3708	Lfhdlh32.exe
3464	Ligqhc32.exe
2696	Lpqiemge.exe
4060	Lboeaifi.exe
4348	Lenamdem.exe
3376	Lmdina32.exe
4152	Ldoaklml.exe
1412	Lgmngglp.exe
220	Likjcbkc.exe
4368	Lljfpnjg.exe
1804	Ldanqkki.exe
3560	Lgokmgjm.exe
3192	Lingibiq.exe
3112	Lphoelqn.exe
4176	Mdckfk32.exe
3152	Mipcob32.exe
3116	Mlopkm32.exe
2220	Mdehlk32.exe
1392	Mgddhf32.exe
4168	Mplhql32.exe
940	Mgfqmfde.exe
3204	Meiaib32.exe
1108	Mmpijp32.exe
216	Mdjagjco.exe
4140	Mcmabg32.exe
2924	Mgimcebb.exe
1048	Mmbfpp32.exe
2952	Mlefklpj.exe
1880	Mdmnlj32.exe
2680	Mgkjhe32.exe
4632	Menjdbgj.exe
948	Mnebeogl.exe
1976	Npcoakfp.exe
528	Ncbknfed.exe
2036	Nepgjaeg.exe
1288	Nngokoej.exe
1204	Npfkgjdn.exe
4544	Ndaggimg.exe
4808	Ngpccdlj.exe
884	Njnpppkn.exe
2672	Nlmllkja.exe
1304	Ndcdmikd.exe
3124	Ncfdie32.exe
2420	Neeqea32.exe
2028	Nnlhfn32.exe
2032	Nloiakho.exe
3132	Ndfqbhia.exe
1396	Ngdmod32.exe
4220	Njciko32.exe
2684	Nlaegk32.exe
4148	Ndhmhh32.exe
3984	Nggjdc32.exe
3728	Nnqbanmo.exe
1516	Oponmilc.exe
3224	Ocnjidkf.exe
2004	Oflgep32.exe
2532	Oncofm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7024	6936	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4872	2464	b99ed2c0dde4367c8f3e7913d693e510N.exe	85
PID 2464 wrote to memory of 4872	2464	b99ed2c0dde4367c8f3e7913d693e510N.exe	85
PID 2464 wrote to memory of 4872	2464	b99ed2c0dde4367c8f3e7913d693e510N.exe	85
PID 4872 wrote to memory of 3580	4872	Kpjcdn32.exe	86
PID 4872 wrote to memory of 3580	4872	Kpjcdn32.exe	86
PID 4872 wrote to memory of 3580	4872	Kpjcdn32.exe	86
PID 3580 wrote to memory of 1724	3580	Kfckahdj.exe	87
PID 3580 wrote to memory of 1724	3580	Kfckahdj.exe	87
PID 3580 wrote to memory of 1724	3580	Kfckahdj.exe	87
PID 1724 wrote to memory of 1896	1724	Kibgmdcn.exe	88
PID 1724 wrote to memory of 1896	1724	Kibgmdcn.exe	88
PID 1724 wrote to memory of 1896	1724	Kibgmdcn.exe	88
PID 1896 wrote to memory of 848	1896	Klqcioba.exe	90
PID 1896 wrote to memory of 848	1896	Klqcioba.exe	90
PID 1896 wrote to memory of 848	1896	Klqcioba.exe	90
PID 848 wrote to memory of 4960	848	Lbjlfi32.exe	91
PID 848 wrote to memory of 4960	848	Lbjlfi32.exe	91
PID 848 wrote to memory of 4960	848	Lbjlfi32.exe	91
PID 4960 wrote to memory of 1656	4960	Liddbc32.exe	93
PID 4960 wrote to memory of 1656	4960	Liddbc32.exe	93
PID 4960 wrote to memory of 1656	4960	Liddbc32.exe	93
PID 1656 wrote to memory of 3708	1656	Lpnlpnih.exe	94
PID 1656 wrote to memory of 3708	1656	Lpnlpnih.exe	94
PID 1656 wrote to memory of 3708	1656	Lpnlpnih.exe	94
PID 3708 wrote to memory of 3464	3708	Lfhdlh32.exe	95
PID 3708 wrote to memory of 3464	3708	Lfhdlh32.exe	95
PID 3708 wrote to memory of 3464	3708	Lfhdlh32.exe	95
PID 3464 wrote to memory of 2696	3464	Ligqhc32.exe	96
PID 3464 wrote to memory of 2696	3464	Ligqhc32.exe	96
PID 3464 wrote to memory of 2696	3464	Ligqhc32.exe	96
PID 2696 wrote to memory of 4060	2696	Lpqiemge.exe	97
PID 2696 wrote to memory of 4060	2696	Lpqiemge.exe	97
PID 2696 wrote to memory of 4060	2696	Lpqiemge.exe	97
PID 4060 wrote to memory of 4348	4060	Lboeaifi.exe	98
PID 4060 wrote to memory of 4348	4060	Lboeaifi.exe	98
PID 4060 wrote to memory of 4348	4060	Lboeaifi.exe	98
PID 4348 wrote to memory of 3376	4348	Lenamdem.exe	100
PID 4348 wrote to memory of 3376	4348	Lenamdem.exe	100
PID 4348 wrote to memory of 3376	4348	Lenamdem.exe	100
PID 3376 wrote to memory of 4152	3376	Lmdina32.exe	101
PID 3376 wrote to memory of 4152	3376	Lmdina32.exe	101
PID 3376 wrote to memory of 4152	3376	Lmdina32.exe	101
PID 4152 wrote to memory of 1412	4152	Ldoaklml.exe	102
PID 4152 wrote to memory of 1412	4152	Ldoaklml.exe	102
PID 4152 wrote to memory of 1412	4152	Ldoaklml.exe	102
PID 1412 wrote to memory of 220	1412	Lgmngglp.exe	103
PID 1412 wrote to memory of 220	1412	Lgmngglp.exe	103
PID 1412 wrote to memory of 220	1412	Lgmngglp.exe	103
PID 220 wrote to memory of 4368	220	Likjcbkc.exe	104
PID 220 wrote to memory of 4368	220	Likjcbkc.exe	104
PID 220 wrote to memory of 4368	220	Likjcbkc.exe	104
PID 4368 wrote to memory of 1804	4368	Lljfpnjg.exe	105
PID 4368 wrote to memory of 1804	4368	Lljfpnjg.exe	105
PID 4368 wrote to memory of 1804	4368	Lljfpnjg.exe	105
PID 1804 wrote to memory of 3560	1804	Ldanqkki.exe	106
PID 1804 wrote to memory of 3560	1804	Ldanqkki.exe	106
PID 1804 wrote to memory of 3560	1804	Ldanqkki.exe	106
PID 3560 wrote to memory of 3192	3560	Lgokmgjm.exe	107
PID 3560 wrote to memory of 3192	3560	Lgokmgjm.exe	107
PID 3560 wrote to memory of 3192	3560	Lgokmgjm.exe	107
PID 3192 wrote to memory of 3112	3192	Lingibiq.exe	108
PID 3192 wrote to memory of 3112	3192	Lingibiq.exe	108
PID 3192 wrote to memory of 3112	3192	Lingibiq.exe	108
PID 3112 wrote to memory of 4176	3112	Lphoelqn.exe	109

C:\Users\Admin\AppData\Local\Temp\b99ed2c0dde4367c8f3e7913d693e510N.exe
"C:\Users\Admin\AppData\Local\Temp\b99ed2c0dde4367c8f3e7913d693e510N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\Kpjcdn32.exe
  C:\Windows\system32\Kpjcdn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Kfckahdj.exe
    C:\Windows\system32\Kfckahdj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\Kibgmdcn.exe
      C:\Windows\system32\Kibgmdcn.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        26⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        28⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        29⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        33⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        34⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        38⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        43⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        62⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        67⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        71⤵
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        75⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        77⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        83⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        88⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        89⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        90⤵
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:376
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        92⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        95⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        99⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        106⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        110⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        113⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        122⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        140⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        143⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        150⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        153⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        154⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 220
        159⤵
        Program crash
        
        PID:7024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6936 -ip 6936
1⤵
PID:7000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
128KB

MD5
64cb440f9c8f5720897db0c1b90db487

SHA1
f6e8838edbbc1e593eea5e297954b8721406dce6

SHA256
7ccfa8f550acecfe4362e90ed48f28bc898d95bfa2e214e8f37396abbaefce9f

SHA512
e3b1bb29112574b2cd89426a37a37af6904014853a97fa9f665034dbfd1585981d969c42b27d63e241206980e5830df6f28aff24c0231d2ac798737a1f3fe809

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
128KB

MD5
0121f63c380e2712212bd701cd84a840

SHA1
3f270536824a92b505194d83fc867c8b72616a49

SHA256
a074c4a73d725110cde48d0d0d3f6180205e77ec8d91cdeabd6eb7113cc212ee

SHA512
0877e94ad500a06a0999f14a13481c9f999e10b86b7c7373776536ab6c0a0882a38b9fe03408112412c2bae0bfc9551480e54c9d832984e77a6e1a2de363c36c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
128KB

MD5
3d655e38a4754011acbb3e175e1b467c

SHA1
8ee98c040ae9210c828d8733fee33048e111e729

SHA256
2922bb015508ad92c8a315cbfef677368069dc240a54211c2a51a5aac1092162

SHA512
5e4a3d5e6a643e4cefc53bd9ebfdcc92b3c4dcf3365e956e745a6c5472a558d87a9ef2f4c49e53d837b2745ed1955640749b8ff0283a13540f0b26fd61638d47

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
128KB

MD5
a2b44d86ab7d4b259d4bfdf8db509bdd

SHA1
8093faf86ac90fcfe2a09c1e42b30e72434a41e0

SHA256
2993315f25a5e6d3fb359c7143e31b5d886ec94f2f2e412b6fd8fb4f72af55c9

SHA512
0be57238dfd8040adf88075fff3593eee61d7cfa03eb13b0361260db3ba013bb84440f782d4c4cb21eab99c0db8dfd503e4487f945d4f6f480b9dfcd752d3754

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
128KB

MD5
c024352dda9a197a63a56ba3db053b6a

SHA1
863a561d1d52bfc827a24ea358b2794fd5728fc5

SHA256
9b34f746264ef9dd40cd619bd846d6a809a9c5af907388a1a289a15a6f3d51ca

SHA512
94e8ed068b6f13c366295508b76c7ad1a5f415d616f211950b8b5ad22eddd6bb12f255f6654013bfa8939c6b08c0dfc55f1dbd6c9476f96777f012422075bf9c

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
128KB

MD5
8e0201e7e329aa612a3bfaa1eb86ff24

SHA1
0747cfd8a2b82353c4df79bb7585168db0880dd8

SHA256
595f53de9b6ace019005610b3a328608ce3ecc8be2c4f1ef3b7c2eb09d9fa365

SHA512
0f090c2c76863a90839cb6c77112e9e3c085cf59337922709a8ddaeecb0af1a5d5dde4398f318fd3af0f4a1703ce2ba60b450cbb1ee3ee295bbb92c15f7766df

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
128KB

MD5
3ab096a4a3bbd751596be0052250708f

SHA1
55e6cdffe453a9ba0c4f126f0b46f41d7803bf6e

SHA256
63f190301f9d3ef94a20491bd9bc5f77f80b209fca2bd2ae520b404992bf9f01

SHA512
3b7868895639fe9c8b0c818c1618c0269dab06b9d64675e1acaf37da28c9a72e9e4064d5dbf03e8467e395e0b5b57f5219fb60f5802c190dca18b312c9d25a50

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
128KB

MD5
d9e6d063922a92abfd4fab4b70801e14

SHA1
beb1c4bed4a001807b0b9ec27708034b16f2939f

SHA256
0b58043c10ea0d550d1b733451d065625df6b109620ff1fbc0fd163e5315746d

SHA512
b385d4d9b12309aef4c50e84a005ceaee1bd4c5b13f518d0dd4a4ea585815c39647307e411d9e6415eeba901a0f61ee15d99c8e5e3ba6a90f0a72cabd4ef315b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
128KB

MD5
ddd231554c65de73ab5c168a04ebfa0e

SHA1
9cc32ae094219e26718a3a069a4ddafc3610e9ce

SHA256
f93930137a00443e9b222b66cbd06bb365555c392f97bcd228c1b0b0aa8f0f00

SHA512
a5834ed53ad61b7a515c4d78398ba24cd8b4a62149613e08b9c11e1bd5b87c21ac5d6727f6ceb3abbb111ebf11613360abc6340a84a46434d1ad0f991880d3ca

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
128KB

MD5
cea9c010beb70282ca66d7fa96dc801e

SHA1
d97ad1259deb0dc810818dfedb711e4e5a08fd43

SHA256
78dd128f8c80f6bb606ee404c610004f665beec8606a012e53b782284591a55d

SHA512
1f1bd5d543b2922b8c4232f5a4ac371dae8d75f5a244620fd189c8175ff275a34f21e691df7a276e3f9894d5e3e69b87ad8d8ac7afb8a10efa791ae243c981c8

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
128KB

MD5
8eefaf519385075041a616f5e7f04823

SHA1
ead481b867eb87952f1d543845c20ebbcdc04cf4

SHA256
a407433ee9c90d5fb75d855ac9eec45d40d8e3e2dac04f66ecd50a0482cc2150

SHA512
413a8ec9319c33ce156155bcb4349c5d24ff8c9eee59d41b59f0339226deb38e8f826687db7831d212855f128e55a5a84bdcc6859bbb71d2932527868110cafc

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
128KB

MD5
123a20e46afd6d32f6338904209273fa

SHA1
3dd0dd6835a0193ee69a44f3778ee76554b045ab

SHA256
9551c05bb6e47fc46195bd42b6bcb9cf84efdd9b35da6f19551c10e04832e069

SHA512
ab0abbd6b93f9215b87adf70a171cce73efa20b15609d84abfb419abab3d7abda4126a39e347d411b5b612d27ac879d6a2273886fc59c1d64c4d1281c8cb3e15

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
fd3a7f23aff291358c7ef5249c404e36

SHA1
6a1431dc86fddde14fcbe6b0f925ede515f80130

SHA256
c6d4844e560063b7b2ba5745398009862c38116fd8854a5f6863601cf75fb35b

SHA512
121951265bf62777f2011375294853e2308188cfbdd5b80314c407bbf175d33d3f7aee1130510535aa090c9512f97ccbf52fe29f9e2578e2319257b053f2dc2d

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
128KB

MD5
bebe53f5619d18722ef9a1da2be123bf

SHA1
97fdf231b2191dd8903fb836a6a150684bf399e0

SHA256
d81fb037026c940c25a4554cd0190286ed5f0eb4abd34ab0fc3fa74510fc024e

SHA512
4b252e8d28ba84c92993caf41e489017bad75a5a4d68bce8c8ebb2545e7bfb8ba786b31477fdf2a1ce8bfbfe67a2837f4cf9b9d6df2a4bf1f3d6dfc2b7c1a73e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
128KB

MD5
187f5937d59c233c87afd908ef240f57

SHA1
7183aeeb514b0649f27cb77217332018c421d2e8

SHA256
31d16c934d2ab54ef032ed602d6fdc767f87f25f2b2edd60b3f4d6fc715dfb75

SHA512
7308604030c3c3e228545c6c3539a6f03035f6a2429fd27bb1939986f99971b2bc7f8097de819b61589d187a71baadcfc0ba4a0f663bb864f715cc7fa8410661

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
1d76b888a7877360d371aa0176d5b2ca

SHA1
05f2e6651f90922dda2d29f7545d51aef894e217

SHA256
6e259ed0eede44cb0a87e0c54201365c7a46c2fa12bb3802085f7ba3ff878d59

SHA512
a13afa7f4039fcf3b97446c05ac9baf0572688fe161ad3552d7b0e64bb6c12ab4ca5604a870f4dd5ab0483b0f051afc06e8798eb8d131c8b07d31279929641ba

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
128KB

MD5
b4f2e57eb41216dd5f7b9b17c57a2640

SHA1
598ac989a125ac05304cf2f311267e8265a153d1

SHA256
1df17b4a7a130e499719036d8c7a3d063e495f095a902abdc87abb24e173e413

SHA512
b854d8729be95f9298850ec18e5cacff443c8eb4614acf0148997765ce6d59ea24d46ea917ae4e08796305bf4aa5df8f99289e0e286aca17090fa4f50454235f

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
128KB

MD5
f02b906fe305b226a37d9ed25186ddd7

SHA1
7d655116bdb90b098100c84c219dd8c12f452b81

SHA256
6b7a755a95bb38771e9c49eac640822501c72a84c497a916ddebe3530d4d79ab

SHA512
3586e3f33e8051fce499c4dfdcf7ffe7a7e224927ca6f8ace786d50cb62371f0453e0dce5b55b7eead9a37f9b0408adb52f02f6d814ff2e6b5cc0609e8482151

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
128KB

MD5
3af9ffee158140f858de17d163a99571

SHA1
dce954fdb880c0983a3aad6b9f73a9dfa53496ba

SHA256
d9b4d3ed168c8b6dc10d15e0207a78f9e4583fef6b6906329bec2c0acd07b296

SHA512
634b3c7da8d4ba7d047d768c9f29c28acb72f725b92daa34f542d0e1fd8d6b7c7a85000ea81e5d76bc05e3905457cc904577280f6c1317bd37ad43c0fc85c29e

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
128KB

MD5
bff6ae69f4051e555575549e55b704d2

SHA1
ceb3dc61303e18f51d2f2850f49efa10e16ac1ef

SHA256
4aa581c827f1c6693874c73ee19192a199d2b34c0f583c2dd99f531702c7ade0

SHA512
2576ffa1da41296471060e2cc64280e3ce9189bae1c8dae0b83dda7dbb5a33a795cfce4b15d96238cc0d425ea15baac268c282c36e37489b133f9aa9855c2802

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
128KB

MD5
aa613e6260c8600ee0b61e9f38ae217c

SHA1
c2b81237287b6ac3754b2ff8931ec980e23bd101

SHA256
bfe7510d355cee22a09bf69863b3bf1aee512d2a687804db139e5f43ee24250e

SHA512
0c133ff21a176cf25c20bb891605cd29ecdb874226e1b298ce650115641c29fb54efc38738ae257b44d82e82a070891b405191e25a0b1e32abf51aef40708fed

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
128KB

MD5
dc0855217fb92c6c8f0938913bd0fe57

SHA1
e5f99aa7e641724dcf05291b5cba9ed29787bb74

SHA256
ac86c1f098ee97cb71b075f053122e925805f73e282623d0addf4bd59bc745d5

SHA512
f46a9e709d07f82d77d01ddcc91842b799009afae89208d82da0fcd59e5992577a14925dc7b413d8375b03644dcd97e46838daf8129275b6f470c9a394c6194b

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
128KB

MD5
3dc61637e75971cdeb5217235931a2f4

SHA1
bf6c76489385b8c16b95f2436c73cef6448d80e5

SHA256
9b157ba0827b0cab36050e479dfc1010447fc8e2c0bfa65621e7f395e48e3849

SHA512
98bb962d11c0e4a535d903aee40d2ea4cd334b7ad455169c381843fa7e91151c8d558c93256137bafbc2dc6faec21af1d819dacab4d5e2377dc919edc8e16948

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
128KB

MD5
34455f338d270cf632cc3ba959530bdc

SHA1
a53653ac4473ffef9713ffb57dea846227d04168

SHA256
3bce1e40f2d151b5ebb1f22f01dba7a5e827640dc4818d74ce1eb47bd22b1c1f

SHA512
73a239fcd20d489a71db9e8089282ce704f25445c9232ccbcfcf0cc2966788d2fb9208144d8e329b1070541a6c40e0cccf3c708cbcb996030714a366866ab1f1

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
128KB

MD5
e9411fdeae690786a197d0bc1fc13f27

SHA1
9b1bb20febdedbe67be0df6bc0997be2ff417786

SHA256
5ecf63378f754650b7d240cbfa00d6c0e512ee7297ce00690130a1cf84c63e30

SHA512
ce954a913779a57e2b703fc029dd910f2ef5d78ae019c89ab0987d361fac84c41c6f7af95752e4585e6f23ea3ea22834d14543365312a15f2cc7dea38975aa1f

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
128KB

MD5
5d4d2d00fb90b90d0f40cb8dab100ff5

SHA1
522bcd1ccb111d4d47f69e6187b84525c5c27b1b

SHA256
f6b241564d1009772ca3b4c79f116f00407fc17403de73505886eb42ddf5e2dc

SHA512
6a80ddb23c4b917f2c704b5c9725715fbb3a7d40ad98fbf4a0b8fa142203a93e0406b5d01bfd110d2da601e3148abcee62232ae8f31063b5f66a533b81408533

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
128KB

MD5
0d8e78e41334ccf908fbc21dbb3f123c

SHA1
ed3033bffe1d1a7485e922ca799658bc43899067

SHA256
40b82af8c3304dd50bd9dfa34b0974dec9f26df0ca6453a844c706f56003a15b

SHA512
3e565aa797865e30927babc1a8812dc10d2e566be5c139e2e5fdd13f06efd318b2e8df95f64983820656addbae33b4512743a13342762b99e5b150686cc3800e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
128KB

MD5
dc29492c38ed8fb2aa491585579a880e

SHA1
e5033480fa2b577679024e7db6d9eb7f821a56bf

SHA256
7bf26c6ba46ce8e3c34c13e207dbe3bd0f64bb0243e115e42b95b954c971ad7b

SHA512
1e67c9c22d6d743aaf11c4f36f465f15f17f15e53d052a59853d413772731803bcb84950b87f867ce01280214b14e580b08de42cb504ee43602de26d88672c07

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
128KB

MD5
64f831cd59c0a495af9676cd08cb3775

SHA1
03d484b9bcea7d2489b528fc965a7ab42da7dffe

SHA256
dde05b0e6bcdf01c56f584d463bd7378a2188ca1b76214e6a02f2ffc9d550d56

SHA512
b599f05b82ced8e0be403aa3020ee80d3205c59257197f9a766a8c088397035b64690fdf946b8037f05d86804f4dba5ce8be3b69241435aab8131a3f316bf8da

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
128KB

MD5
e2d6bf8e17a76d0a937497e2cd9d89f6

SHA1
a3d5922ef89ffb7e9512b37bbe73d4e2b8edcf72

SHA256
7096233324eb0c23c252a40e51fbab4a2b16f1ee5c97e04b7902853a2b9240a6

SHA512
2f44ab477f7898896ccbcd1bb9cd8203c551e8952fafeaab8babcd982bb17dfba9413fd33c3ddec8f8a86af077c5d58e2852681b874a9eef1d7f3c4ba2add6f0

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
128KB

MD5
975e2ad8d507ea0018d0f63e4250e0ef

SHA1
9d5f47cb73204744c5e1f50db860ede6ab904207

SHA256
1e916ae041dc0cf2cbef0394aa100cedd1f609cd695fb1192cb20858e7c65ce6

SHA512
e7a9e711a04c02e0c8566d991c2408d4a53bf5a8d93046b482df889d98e1bfef8c27021d3bb25c9d4ec5fcc852be8382dbb308865b45ab31a96ee84ea50a8df7

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
128KB

MD5
f41687e38573a5d2128f00834f0e83e8

SHA1
172f34602123585f094b0ebbbdcf8215f7364443

SHA256
07c1b05804c24dfb8e71f96cb1e4ae3ac2e28a016bba228c7320d134b9fcbcd3

SHA512
8fe45948d092e87135fb8cbd8388d15c3bc4e4dfc3a5b4a019cd93b3efd7ae288923baeafe9c47271be832eb6651b866f313875362798f27435d8b8acf0c8d2b

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
128KB

MD5
9d9dd7297592f837bd53b8f1b1378672

SHA1
e1f73b25de81e035cc59572e66826a51af701d92

SHA256
1ab085990431d37823c1c765d0868c92b1f4de3bc6f0bbb0ca71241cbf192071

SHA512
2c6dadbf20c6374a4e0648361df554fbc67c5c01cf726dc365fcf6a5a2e5fe3300d8bd692734be609b952525fd955c58592fb6e431a98aa28ea70111fec0458e

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
128KB

MD5
359555c75c41cc2ae5fb2f6bcb0f3145

SHA1
b75000829ef9e5249a7b3991f3ab9eb4bd17eb0f

SHA256
e1405695a337d0e7f92351c06e816d64ac39281fc9ff381be05d943e75fd6c19

SHA512
8b68dbe4b3e528e76eda9b6590744c55d956004ae31acdbfcac1ad49698fc796bdc961ddad79332bf5c7c60cbf8509c2cb149729b9a386c4f751c20e341c3bea

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
128KB

MD5
31ccb554ea536351153741783de57499

SHA1
40e0c76864d9e2aef06ee6b98d8f858c4c80fd01

SHA256
5708dd9ce700d4fbc0e92fc77bdcdd1c104193c5db98385ad413dae1c9baadee

SHA512
0c26ba0613a6dc418f5ec76df94897bb3aaeb60f9c36258c9d118081ff4dec16ae6d5a16f3a26a13fb27f9429c18fb88953be6b30af418ec80da530a4ae3f02f

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
128KB

MD5
ba8873c9dd01d3e5ba7d0bd3087b9233

SHA1
c1005e9779670672ef82f729359f0b4f97d2ea07

SHA256
0eb54723a6a16a2ecc8bd6222f261134b2b6123abf4b83645468c105074de8d0

SHA512
9d7115c0f0e2ec7b62dd353dee9dfe8b0e90fc212cf91a0a3dac2c28a6664d27511d7b65f295295a9970df561e398be5ab755b9313634c7b708e946dca93c70e

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
128KB

MD5
7b72a1e5a9241795f8cd29d5ac5dd807

SHA1
0b289888bad7acb15c325374b3f7876804a2e5fe

SHA256
41071a42bf14c1e214d2886ba63e153248179e8fb437adc95a2b6f516babe6db

SHA512
dfb9542cf0d7486e9c797187fb80fa2c33a51dfd17aa07cfc6a921e84aefbd8d0f3fcadaf2e1e34321e626935acd9ed083aa838f1a0ff1084a1fde1c40cd9acf

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
128KB

MD5
907d0d011e74197a6677623b487f3d2d

SHA1
b0a566f59f8ff945e857b5201c22ba5d816be49d

SHA256
f550f43257b4f2a544b0622d6b0832b481c38efa4f31d4b1cd57227e1b28c23a

SHA512
ca81beaf6fff84a3e47dc18ca91df3d4aaa4f4befc2f73fc4eaa53b9df5b056f5131ddc1520e93d36efd06ceca2ddac25db08590a445680c3673863fe241360f

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
128KB

MD5
f5ba6cc5d2830ce9c66e42a96e2037ff

SHA1
7e61a1358bee87bbaed742652f3689dc1b560737

SHA256
805888f1ce98d996fd1330e4a189c1a5590d053174ebb001776742b0a39ae818

SHA512
adb71e8c069fa3e88d867b493d2b4376a6b714f2a5e354446f2cf355e67b043bdb0d4c419af3ce930353abb2f09d2b36895f694f84a84872f10c09eab3f57570

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
128KB

MD5
8f93d49759472ffb935ce038e20436f4

SHA1
6f33156d73515f64e1ab34ebb2225b42a8c2e1bb

SHA256
aeae51d8e6f373136860fcb34a8cd3e54b796300bc14bb988e3d289245c32288

SHA512
e8d1b28709a06f4c4d6bf918a0aad5d1b3f62d39514f039c1bac7e52f29c11fd74cb5c0600385bae508834a310e5d16be1482f008adc7b74500bada843870d4b

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
6d8c9da9e7afd313d49783fea95dfca4

SHA1
749aa44833510c8b91d2ab6ac680425a3ba4124a

SHA256
d8453203ef0e728bab8ea58b0e645438be8a18f4951529ee4eb9b8c27d29209e

SHA512
8b5372f051b78694d05532ab9f142869db7054c0df2886aeb5da6278b19d9e838fb4d2d05baa014612be9bae1be6317133ac0deafbfb0e262d6d6cd0c7526e8f

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
128KB

MD5
91f93a5c6d737824ffd9abf00b574b3d

SHA1
37f684026a380ab5f0b3a3d6942782c8f571ccf9

SHA256
b7b8526574d65dba6a761be5b6a7c6e87af1e5d9a00fd2810caf5d960705df2b

SHA512
2143c382ffb0694bde02a09782895ca246f5618c8a4a1a4dc2d619d63a2d6dfde329f21d575bfc597d00cbe4500956ed952e4faec65f55f4529f21a9f310fbf0

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
128KB

MD5
ff8d0f14ebfb7646f0116f6b04c60e93

SHA1
aa24047d62e754aae6b32837ba03d09bdd4e710c

SHA256
462872131c950a53bc0fb213fa5efdd6366277ef5154f6b545a919be1b6f2dfd

SHA512
ed21493cdbde5b9256e97b4accf444403fcc3f32ed7d992caedfeeb17b5123d6fd607c4b8009d391e69770f89f1c662636aa77aec011c4e090aa6013f5e09ca8

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
128KB

MD5
9920170454fe3260dbda6f90e60cabbe

SHA1
e95c1df8dc1f4dadec5002c95c2170fdd36b506d

SHA256
85f1f2eefac8ff1e43a9cd07054bfca12a12f20f4339df1c765b03a325cded9b

SHA512
cc003b85c90519f760cafddc45746b9ad12f6ff4b476e891ba1a4cef4cb91ff8bb4123feafbec845103af4aca15bc94573a90db0f97f7b9dcadaaea47502d6af

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
128KB

MD5
17e9cb45d282838fc516607bfb0ef218

SHA1
a5a6d9d311bb79ae2bb0c4c93f52de28e86bd704

SHA256
6b12fac12a3394a60f4ef7e92ddf4b8140c7a883e31f0453c25707cda3010e27

SHA512
21746e1386550fc312c86cd47d85ee2ef1f178e4aaa8d5fe7ffc521539ef087f903607c1226b897e80ee3adf65864c62d80d68f59de7fa7fb49b6cb0c6911fc5

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
128KB

MD5
5ed81398e06a8c843715fc406d9d67d9

SHA1
d9cdb40ea3c5a5a8dbe953f743343b0316aa1e7f

SHA256
f39986cc4e0fbd3bebc4640d1045d52f63f399285b60e0b424b8a0c649cdb5f6

SHA512
40ea0203286f0f9370494d3840311a81bbb0b41c56a4b7f86f4b06c3d22f6ecc07f0a285e7d746c777bbf40a674b25809896a1bd2c424cb1a0cebb368213b15e

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
128KB

MD5
5b22955b9966740df25e860cf6d405da

SHA1
6b02fb72d5065b7df80d6edfe1e9486d791b78ac

SHA256
b803c4fa5cbc064daafa960b3f0e7817590fb8ce0adfcfc14d14f61b11c7ca9a

SHA512
5cdcb83a0fba15296cae5cdac2ec16a2b1356752f090f23927fb0278a72e2822225f6e7084a5c8251fa27ac1ad8b8921ee45cc811fdd517c22e9faee2bc4bacf

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
128KB

MD5
c3170c241f816baa42b3404b9d1c03c6

SHA1
5c51aa62f0956c07de23250cad523ed9e87d127a

SHA256
82622304537b29bbb531b7f409741290163f1a97b6fbee6a41bd5528a88a3aca

SHA512
cbdc21d4ae9b0dc70bd6925ee7392c129e8a44277c44cc2ed8e90c84a99e2d817e7e26eada86332759066ba8282d4f347d91e3f8bdec92cdcb2e98683605a098

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
128KB

MD5
5bf9817d4319e5639fee1c9826dd008c

SHA1
26a9db45a21d5028fb0e64d7be04a8f945a9bea4

SHA256
2952dcb2cee6f98f98c4c3d22f1ce39ef1c65b401ac3be85c43049465c54bc51

SHA512
087a7e731bf34660213e690730afbb08f1182b856a75f664423e5caf8e577a0368108782c67981fbb6af6dba2f34495d5d2ae199c0587ca00dc8241921868900

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
2d0aee02099b09617b2c6f513301b8c4

SHA1
3568ab5f487de99108723f132b4a6b0f39e852e6

SHA256
59911a69b601a9d6f63cb9f074cebdd39dcf9f5c41c03aa90e123f016dcdad64

SHA512
fa05d19e1c5035244b77c9decd9d43d022517f063284246b7dbebf56f3b37b402ae3ada182584707f710699568bab24c09caa1128e2fc0ccfd1c5d614e7b9e44

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
128KB

MD5
1e072cdd7424fe3bfab1afe8b48ea599

SHA1
cacf6a3b3c854cc6f75162d08e0112f4259a062a

SHA256
a1161e16622aaaa9da33a0e1b15a75ea4f8de0b7edf3e410a7e119ac7c9a8a96

SHA512
a685ec51840d24fbd75b1af04f397e7ad369eb3a51496e45af72ca18de09cf2f22ff207b132afee803632d28877a18e27b0f9fc1afe6beb07a7faee1304a1aaa

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
8f6eeb46da5b3d667af8a40f7b8cd4ec

SHA1
77ea3f4b2598b95dd65222119de65e29d60628d3

SHA256
384721c5773c0790d735e89c3b295b50c5ea3770c372e33721984f41a0206613

SHA512
881a1775e93b2b463da67b65f44bdae69a112e39590495cb5bc195398b4aa792c4bc1ad017f28a4ce17e70a8129ac09b3eae8ff338ec0f584068f830b35190ee

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
128KB

MD5
31869f70b7eee1d2357532f7baf8a805

SHA1
864e4a73d924c814eb378e0d2cd17ab7d2448bcc

SHA256
061824123ffa8fbb46179ef6babd3e93b21b49adc2cfca6869ede88fda8a284f

SHA512
539652261497cd63d8857f9bbac77fce0a843dfc7a5f7fc17f833cb17c5d5ee069ea9b40be8cc73e51bd187af566406ac9b7dd459622520348c88a64f309909a

Download Submit
memory/216-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/220-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/432-496-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/528-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/664-573-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-579-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/884-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/940-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/948-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1048-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1056-537-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1244-566-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1288-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1304-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1376-466-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1392-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1412-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1488-542-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1516-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1640-594-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1656-593-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1656-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1724-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1724-565-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-572-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2004-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2032-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2220-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2368-502-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2420-374-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2464-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2464-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-587-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2532-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2672-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2680-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2684-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2696-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-508-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2924-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2952-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-526-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3076-478-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3112-168-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3116-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3124-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3132-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3152-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3188-472-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3192-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3204-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3224-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3240-484-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3376-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3464-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3560-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-558-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3692-552-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3708-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3984-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4060-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4100-520-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4140-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4148-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4152-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4176-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4220-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4228-559-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4308-545-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-490-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4348-96-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-514-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4544-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-551-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-586-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5104-580-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads