f5018aeb2c36214eba3e856fef75857ef66de68e8478c10024f7c821073ae193

Analysis

max time kernel
116s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe
Size

96KB
MD5

a24e3f5a38d6a2f9c44b3473dd4ce2c0
SHA1

2cfda4ac5a9c8fe0c707901ebb50fb586bf42123
SHA256

f5018aeb2c36214eba3e856fef75857ef66de68e8478c10024f7c821073ae193
SHA512

d6d656915198d85b0a4d58447f53a268921e3ab25ea0b377bb4995ac82298798e2642d33c28d7fc82d33f5231ceeb7080d4bf3de5bc8991cc0e548f14f0c77e5
SSDEEP

1536:zhK6UBrQYxX8WClfdZXDkRbyF3cEVEt2Lcu7RZObZUUWaegPYA:zhjUBrQYx7ClfjXa+7ClUUWae

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe

Executes dropped EXE 64 IoCs

pid	Process
908	Hmabdibj.exe
2220	Hopnqdan.exe
4836	Hckjacjg.exe
2652	Helfik32.exe
1520	Hmcojh32.exe
3708	Hobkfd32.exe
3700	Hcmgfbhd.exe
552	Heocnk32.exe
2460	Hkikkeeo.exe
4516	Hbbdholl.exe
4220	Heapdjlp.exe
4064	Hmhhehlb.exe
3280	Hofdacke.exe
1176	Hbeqmoji.exe
1136	Hioiji32.exe
4360	Hkmefd32.exe
4272	Hcdmga32.exe
3100	Iefioj32.exe
4624	Immapg32.exe
760	Ipknlb32.exe
4488	Icgjmapi.exe
4824	Iehfdi32.exe
4976	Imoneg32.exe
2712	Icifbang.exe
1984	Iejcji32.exe
3096	Imakkfdg.exe
4336	Ippggbck.exe
1864	Jimekgff.exe
3812	Jpgmha32.exe
3720	Jbeidl32.exe
948	Jedeph32.exe
4920	Jmknaell.exe
4244	Jpijnqkp.exe
2948	Jbhfjljd.exe
3284	Jfcbjk32.exe
1872	Jianff32.exe
564	Jlpkba32.exe
3772	Jcgbco32.exe
4304	Jbjcolha.exe
1724	Jidklf32.exe
2056	Jpnchp32.exe
3680	Jblpek32.exe
1456	Jifhaenk.exe
2164	Jlednamo.exe
1868	Jpppnp32.exe
2012	Kboljk32.exe
3832	Kemhff32.exe
2604	Kmdqgd32.exe
1308	Kpbmco32.exe
2548	Kbaipkbi.exe
3116	Kepelfam.exe
320	Kmfmmcbo.exe
3452	Kpeiioac.exe
220	Kbceejpf.exe
2844	Kfoafi32.exe
4536	Kimnbd32.exe
1564	Kmijbcpl.exe
1208	Kpgfooop.exe
3872	Kfankifm.exe
2908	Kipkhdeq.exe
1084	Kmkfhc32.exe
3216	Kpjcdn32.exe
652	Kbhoqj32.exe
2492	Kefkme32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cefofm32.dll	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Helfik32.exe
File created	C:\Windows\SysWOW64\Ieakglmn.dll	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Docjlc32.dll	Immapg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mckemg32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Heapdjlp.exe	Hbbdholl.exe
File created	C:\Windows\SysWOW64\Iehfdi32.exe	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Iefioj32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Njohbh32.dll	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Iejcji32.exe	Icifbang.exe
File opened for modification	C:\Windows\SysWOW64\Ipknlb32.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hbeqmoji.exe	Hofdacke.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Ippggbck.exe	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7092	7004	WerFault.exe	269

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hopnqdan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hofdacke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdfonda.dll"	a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hioiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 908	1304	a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe	84
PID 1304 wrote to memory of 908	1304	a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe	84
PID 1304 wrote to memory of 908	1304	a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe	84
PID 908 wrote to memory of 2220	908	Hmabdibj.exe	85
PID 908 wrote to memory of 2220	908	Hmabdibj.exe	85
PID 908 wrote to memory of 2220	908	Hmabdibj.exe	85
PID 2220 wrote to memory of 4836	2220	Hopnqdan.exe	86
PID 2220 wrote to memory of 4836	2220	Hopnqdan.exe	86
PID 2220 wrote to memory of 4836	2220	Hopnqdan.exe	86
PID 4836 wrote to memory of 2652	4836	Hckjacjg.exe	87
PID 4836 wrote to memory of 2652	4836	Hckjacjg.exe	87
PID 4836 wrote to memory of 2652	4836	Hckjacjg.exe	87
PID 2652 wrote to memory of 1520	2652	Helfik32.exe	88
PID 2652 wrote to memory of 1520	2652	Helfik32.exe	88
PID 2652 wrote to memory of 1520	2652	Helfik32.exe	88
PID 1520 wrote to memory of 3708	1520	Hmcojh32.exe	89
PID 1520 wrote to memory of 3708	1520	Hmcojh32.exe	89
PID 1520 wrote to memory of 3708	1520	Hmcojh32.exe	89
PID 3708 wrote to memory of 3700	3708	Hobkfd32.exe	91
PID 3708 wrote to memory of 3700	3708	Hobkfd32.exe	91
PID 3708 wrote to memory of 3700	3708	Hobkfd32.exe	91
PID 3700 wrote to memory of 552	3700	Hcmgfbhd.exe	92
PID 3700 wrote to memory of 552	3700	Hcmgfbhd.exe	92
PID 3700 wrote to memory of 552	3700	Hcmgfbhd.exe	92
PID 552 wrote to memory of 2460	552	Heocnk32.exe	93
PID 552 wrote to memory of 2460	552	Heocnk32.exe	93
PID 552 wrote to memory of 2460	552	Heocnk32.exe	93
PID 2460 wrote to memory of 4516	2460	Hkikkeeo.exe	95
PID 2460 wrote to memory of 4516	2460	Hkikkeeo.exe	95
PID 2460 wrote to memory of 4516	2460	Hkikkeeo.exe	95
PID 4516 wrote to memory of 4220	4516	Hbbdholl.exe	96
PID 4516 wrote to memory of 4220	4516	Hbbdholl.exe	96
PID 4516 wrote to memory of 4220	4516	Hbbdholl.exe	96
PID 4220 wrote to memory of 4064	4220	Heapdjlp.exe	97
PID 4220 wrote to memory of 4064	4220	Heapdjlp.exe	97
PID 4220 wrote to memory of 4064	4220	Heapdjlp.exe	97
PID 4064 wrote to memory of 3280	4064	Hmhhehlb.exe	98
PID 4064 wrote to memory of 3280	4064	Hmhhehlb.exe	98
PID 4064 wrote to memory of 3280	4064	Hmhhehlb.exe	98
PID 3280 wrote to memory of 1176	3280	Hofdacke.exe	100
PID 3280 wrote to memory of 1176	3280	Hofdacke.exe	100
PID 3280 wrote to memory of 1176	3280	Hofdacke.exe	100
PID 1176 wrote to memory of 1136	1176	Hbeqmoji.exe	101
PID 1176 wrote to memory of 1136	1176	Hbeqmoji.exe	101
PID 1176 wrote to memory of 1136	1176	Hbeqmoji.exe	101
PID 1136 wrote to memory of 4360	1136	Hioiji32.exe	102
PID 1136 wrote to memory of 4360	1136	Hioiji32.exe	102
PID 1136 wrote to memory of 4360	1136	Hioiji32.exe	102
PID 4360 wrote to memory of 4272	4360	Hkmefd32.exe	103
PID 4360 wrote to memory of 4272	4360	Hkmefd32.exe	103
PID 4360 wrote to memory of 4272	4360	Hkmefd32.exe	103
PID 4272 wrote to memory of 3100	4272	Hcdmga32.exe	104
PID 4272 wrote to memory of 3100	4272	Hcdmga32.exe	104
PID 4272 wrote to memory of 3100	4272	Hcdmga32.exe	104
PID 3100 wrote to memory of 4624	3100	Iefioj32.exe	105
PID 3100 wrote to memory of 4624	3100	Iefioj32.exe	105
PID 3100 wrote to memory of 4624	3100	Iefioj32.exe	105
PID 4624 wrote to memory of 760	4624	Immapg32.exe	106
PID 4624 wrote to memory of 760	4624	Immapg32.exe	106
PID 4624 wrote to memory of 760	4624	Immapg32.exe	106
PID 760 wrote to memory of 4488	760	Ipknlb32.exe	107
PID 760 wrote to memory of 4488	760	Ipknlb32.exe	107
PID 760 wrote to memory of 4488	760	Ipknlb32.exe	107
PID 4488 wrote to memory of 4824	4488	Icgjmapi.exe	108

C:\Users\Admin\AppData\Local\Temp\a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a24e3f5a38d6a2f9c44b3473dd4ce2c0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\Hmabdibj.exe
  C:\Windows\system32\Hmabdibj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\Hopnqdan.exe
    C:\Windows\system32\Hopnqdan.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\Hckjacjg.exe
      C:\Windows\system32\Hckjacjg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        24⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        26⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        28⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        33⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        35⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        37⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        41⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        49⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        60⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        67⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4000
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        79⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        80⤵
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        81⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2344
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        85⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1708
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        90⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        92⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        93⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        95⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        96⤵
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2216
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        99⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        100⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        102⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        108⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        112⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        115⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        121⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        123⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        125⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        130⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        131⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        132⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        137⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        138⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        142⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        145⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        150⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        151⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        152⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        155⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        156⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        158⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        161⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        162⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        164⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        171⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        172⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6564
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        175⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        176⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        179⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        182⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        183⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 396
        185⤵
        Program crash
        
        PID:7092

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7004 -ip 7004
1⤵
PID:7064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
3623e1aa11e9071edc41f029d51c3607

SHA1
6cb608ed69d5542fb52646decd28d5feaba3ee0f

SHA256
11abdcb55fa1c427820baf53ad4e2ef2c79693245ecfdd8ddaf977a9298b52ea

SHA512
cc2930a3f756cb9d89fada6014baa4c822502c2491c7b36c14ec87b1b3e73a1cfd4a601a5b64c13f3d6eb1a1ccc0cf8c96e8edd3033af04c4846d10c41cd781f

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
d15ccde5c4dfd393997f85095821ba3c

SHA1
be1ea6f5eb71b306130d3572b38eaf201b592fd9

SHA256
4300e689d4717738dd691297ba4d0b5cc3d000b78f16b8c8c2a914ec03172efa

SHA512
0675904a6167284994db56976bcd50c85902408626d954fe085f0052482f5756ee699c82f3e4867558796a16d8264d1bc6e8d7bcc80acc9be5b028c1293c0aa2

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
c403a7a160880cc6cfbadd86f99e7471

SHA1
3bce78fbefc4a5e36cedb680a775c83af28c4f97

SHA256
b4bf7a2974a3295b9de74c791c11d8443551939c67d0a14b3b48cc531fcc5943

SHA512
b83547639943c94f33a02dff513e277f31fead7af4b616daa6bcfe5a0b1d53a787c8387e09a7c06d5b828bcac5bcd4e469e5550946434e0a2dd0fadba34ba590

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
fec155e4a48b70acb5593da251ce422a

SHA1
377f663e0a96edd537e269f7440d5380e6fc6ef0

SHA256
0fe4db37365f7fc53c87d36219aff4ad7fcc3a124ad7fc51560172ac9eae7927

SHA512
7d2a4b7079c0c8e942f6ed90aabe10c8744e78ef3103cd9d3597fe97780a9e4e22c5b2e615ac135fa4457f4ccd8a9209d5dbc7fa28fca73c49fe4429ebe5c0f4

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
91961045d82cd323766a2bcdb3d914cf

SHA1
ddfcd3f2d9964356e0be036a97aadeb58792d39e

SHA256
2bc2f1a2546977391e9acda2bc0703db7b1e930d373f93557eaff7f705354612

SHA512
6db24851a92893312c03f522e3ad737a219ec4fb682343a685a155760cc1d5999de8bf2dc6076c1227c786e1f2a2b6be6542f1a21dcd62083d8fa3db5b0451b6

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
12053a335e9f7e9262f9c44fd33b712a

SHA1
e65ded2ef2ff9ee3f048ee05a76704bd53964020

SHA256
423a5b5262fe680d0aefe8f4a929d9e8679fdb39cfefcddfb5ff15169bda11f1

SHA512
3e48ae54bd6094597040d9966a648e72aab3e7b316b80435c0e2e6364048a67f7d146e78686e4db1f684e7855ba9fe3c62bd4c41e82382e12e25b85000bdb57f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
b678dc61ba3b5c935c70c751c2a0c769

SHA1
2bb505410ad53c4404235e41ee7a69da281e05a3

SHA256
f9edaed92905a6884d4eb9b831863f9aa8112cff67205b872cd2ad05e4d84b1a

SHA512
8a0f4d83c46090dd2b20cee3d615b1db5e4517d0ec9e132bb8bdf3d0d3aaa7f2ceb03b5f5c39b46153a038dfabe8b8e58c91a10b1e07fd2a6e27d6f84256a0f8

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
54be03c96453032fb8daa8d6939214d3

SHA1
dcaa2cfe0ea8e7af6f074e13d47d866e3e1d2937

SHA256
3cd07b12f69c20791f6ce245d49a00bdce5b16011a7dc690a37d992aa7c7a113

SHA512
e02185e2c6f436bb2bfc57ef658a10bf5c04283c0730560fbc7399b207e4438853ff7f822139ee72c3e805aa8b36b345950898e3f7a3c30e6c9c10e5f6a5bd14

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
5c297c20b78db9e9af0784f0edbf94b4

SHA1
999ca90c370d379b2b389d8deffffa14c5aaeef7

SHA256
e708213cb3b2e7a834d88c9389659448e09d2ae580482d25a818c4b3db58763c

SHA512
e1ccc24673b2055d81736b6a0fd5d4bd1b41b35ceb5c130de6bfaf431f2de602cc4700e3dc43ee2f41bd2ec163719d72b9d29e4b77454500e151cf64fafb7dd1

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
96KB

MD5
dfb6fe2e1b49655e75b49f014e750563

SHA1
4881f8805527c271ec51347916b0ac810504c343

SHA256
d388a08378234564d99679a8103e7c48fec4ae0fecfd02d69c2dee403c9cc3d4

SHA512
5f7d0546958ab79897f4c859feba7d3c381d157cf90f79fbb570f2bf66ff4e014c80c1a5fddf2921d56cd32c4f9a7a7f34d97eb848b360db4424019dfb348243

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
96KB

MD5
51eb13b7579ab169e61be5ce1b861374

SHA1
fde612f0f1e2d4772e2adde952cb43810253a1f4

SHA256
38ec7681cc806e7f1f5e9a08a1dae32f6629dceeb1bc97982def17ff7b2b0c0f

SHA512
22534e54d73eac537f22241fd589e838aaf2758f13d3ec447a3d59273102e3f593c3e484994e4520571cf76089d967a495898168d3776258e1d42261d65267e3

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
96KB

MD5
2e5bcc598f688b85e68be6e7307ccf06

SHA1
c15bdfa05c23b457a2d742457b329bfe6ebc3eba

SHA256
bb23856f2d194d68c52ca2e1d4cbd9fa25723d71254ffd5fce553a8f072940a7

SHA512
ac3ae9ecebc01b4d0b9f04a42d33b7c5ae658bfc20aecd6a3cf460d29e06435c6115a8024f9a27c331776e7d9268285cc896cd3d1134309f29a3fd275e99e0a6

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
96KB

MD5
6457a25948f1a1be573ab3278b176010

SHA1
2318feb28beaa995a3a4a05f4f442f0b5e874b2b

SHA256
0c02354638c75a1bde2b5369cdb9248cd83446b7866836550c8cf1a824fe28d6

SHA512
bea6888eb190b9c508bb138fcb0c2cb0c11b8cebdaac349941021c4b01896e2e9f36189504b64ed3ba6389ff124b773c99bea5f3b341cc310e4e32151a89b921

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
96KB

MD5
1207524d16554fa52df70d00351abe5d

SHA1
0131abb23fa67a69e8a4a06e7e5cada7401051be

SHA256
f75c4607ac717d31fc021e083634d330f668b7c5bbbea31e49f3f1075dde57f0

SHA512
34542f593c83cbf61e265e3111e2e66d282cca426324ba15c88d77badb7bdf7e0db96b1ccae16c37fb6d2e87ed3ef74428e138e28aef7cb154ec90c601588f94

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
96KB

MD5
b1bdb2da4f0027c28bd2ef3c57018552

SHA1
54f91a1b92c09c5a167138dfc912450a83db0627

SHA256
ba74883b8921f5fa350450161e7c261abf7a3926ccad87514b837dfd02f942ba

SHA512
cbba77ed334815a0daee56640064e930c1ed6b0e5d0c868c0d7bcba622c0b0ea602d75110bc684dc8d140d18413b191557b1be8573e4ab20e37589c1301d6ce1

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
96KB

MD5
a5022feb7b2c876fdfe2d227936c56d8

SHA1
a75aa7d0895863328753a4fc24efbed2918e9151

SHA256
aa3a139aeffc985406a7b9eb6633e58f615734efd8d64983a09b22abe78abba0

SHA512
44ff9d14df074ed32d98e2b54b7307895482d5cb3593aef5c8072fdfdda5d574e298d3421b9459aeb0a48d233a780c43448b6551681df7a35a61e48c06bed5fa

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
96KB

MD5
46378e98fedd62a8592556d67de2c8d8

SHA1
dcbf52be0e8d2815644e69c4478e0543782fd51b

SHA256
0639ce0ccf8ac2edb168acd8769626739aec26f4e4f3735ab31c7104b1f130d1

SHA512
bd08a85946add7b686121d3babaed4efdff7b98e4ee7ca474ef910359c84d4b817364b65474dbc04462f8d82d79d9876cc5c3a34ca3adf9dba925f8f57dac13b

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
96KB

MD5
1ada0e5f46f2ce8fb1dd7a75a6eca0c2

SHA1
a5223dfc0714824fd514d5d47e11264bde7d48da

SHA256
5e3b657fd71fa38ee8dfd1b0d661d6032b82debbd29802e4b7d84780d6313b21

SHA512
435a363b494a0e23dfdedbd70ef56235af3abd35968596601dd1636518e7084d9f991db9355029ccd20dbc9db341ae9103cb28a1bb3f7510c5f0313c86d8fef0

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
96KB

MD5
752b715532021df16ca27425f365b91f

SHA1
b3942173629688a34d62238dc103c64ab0ced5c1

SHA256
4105877e004c296c854cf84a39e7affaeb96bc958ff0aa6f6c2cbc121744fde4

SHA512
27196b551cb82c5e1442ffb6b5c19658f3d5d6027727e18b5793e1491c9ef321dcdb5f5d21f3d23feada73999c870befbe8e6f2f5b004a96ecf26957d6918139

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
96KB

MD5
fb67f315d33c6b6a7479dea9c70c1d18

SHA1
1b6de7eea0291bbdc1816560f8f1148666e8a41f

SHA256
b96ddbeb74c9a114957653d9623189fd716b217cc64a86e447eb5ae5103f2678

SHA512
63ad23a79656f1d8b16fc66af294a5514705e23ad25d32eedbde8d9a54d2431cbca4f8802e111758b45ba3940fd7b2388f42a66f2139479ed50187df3f014925

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
96KB

MD5
c839ed5494aa1d08dcfe263780f6be7a

SHA1
bb9360a6203a9322f604f4e1a914f40e7a125e91

SHA256
b5b7b0fd26a12f4689d69ebdd7e150a2c78a671653206875247375e33e5da277

SHA512
648b879256c66151c31c85c1aeba368c47566a3ad3096e53d19e71b424fe9c2b77dd9bda63f9d8f1302921e34e92b781085a63e6ffd9b575a4b79abdbbaf5344

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
96KB

MD5
8261ccae254a7ba213df59121dab22da

SHA1
77ac9fa8bb5b1e27710b1399ef2ccc1a8fcde064

SHA256
258a9f98012333a6c25a57a5f784e22dc6d36cd3c0be34e8e70e88cb4ce60360

SHA512
3dea7f7f643e061edada96c79674837c5d6596d4e1766337390de2cfe25fb299d37ea44db404dce2368de7789f157af89f5ac0d05cea32f2491be62b911e6e8c

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
96KB

MD5
e7bbc00bc77dabd721226bd176c58c23

SHA1
29bd416ce80fc156b038ceddb26ff67e508170b7

SHA256
504e4ddda407415ceb4c354db124f59062adc3a812ef0b0a6034fdfdcaf0d569

SHA512
fb94e4f114ca6f2fb37e07565b5111cffe01ab6d8b98ca6fd125d2ea0bb18c9843223913ff9f6ac761164b9c285b840562772511f976c54770a9efe3f535172a

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
96KB

MD5
cb5de7a56a2e1799b4b61262153dae46

SHA1
8295a10ce74d113979aa2f2c679c11f857a8a130

SHA256
c27410961f9daf43a6d6d88b6f1a33b43f99d43f24f24c28fae7686ad72dd4e8

SHA512
0bdc1a5b1ae6eb0b564d4836f49c09ac4ca7236a83cf4c21fbe38f6d0a02a3f2043cdaa76e276f52e0d6e99fa9939d71ecd274a6eec85b0a7f303f13980b2010

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
96KB

MD5
93b0a62517d8a3521038c64897862f68

SHA1
9057c1c17542a1841bc3948444ac5deb8853a838

SHA256
1b4e1d506cb0a9f0cef4ec41f5ec62575bcb1e145a50484256a301f25f528fb9

SHA512
af21924851059fe790610846a9b2cd0304a7e91a2c95a9e73c02007ebc873700946529dadf0b9fc69751bebd7724456dd38348ca1cf837e05152e4347ede581a

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
96KB

MD5
b4e3f8a1bf444ffd53fb01b540bf2b9d

SHA1
c28ea4de21f67add9dba07860eb159493d22eb94

SHA256
837cf879ca182bfd38de323c92da4ee8a15d4c79e7d992bb60dc3ef53d3edb69

SHA512
b8e8003d82758bfd84aeb7e447d5fddc4db8a3c4e0e959992a1fe82ca429436db42d8c3e614dbc3bc6ed80b2d20e38c9f7a704679d1ac4e76709d3aa35d7472a

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
96KB

MD5
1d899749d280190ec127dabaac3b7b96

SHA1
eb1a3e772a7c4180f87a0d98d3a3b24e620b04a4

SHA256
c4622dc4d53becfe7290045ae9006de0f13b7642096554f5593240d448a75e7a

SHA512
7623fc7f1deaa66f4d740903a31b980f3461b6c4ad8da545ac718103300d513de77b93fc9b603934bdcd619095b4e5f7c4d4d93fca56af813da8f2992d5c92ee

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
96KB

MD5
3a16808f1e3d35da1de7097afd2ed345

SHA1
fbe11a72e056aae9f707d301ed58f429609d975a

SHA256
b1e6f26414d94563f5170a6a9efc74b6f84136a0103d03549e1b1696d931248e

SHA512
3be0d049525852bef55f3c3a807c4bf3798536d38188d5b7ed312cba8cc8deb5f5dbdc620b87f6788236466230e1760c00a24a0f7c7b2f1495b36eea47ae36d7

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
96KB

MD5
83688ec556b8c0614b5f560ae10d2111

SHA1
08317b0ae8eb6f3e347c30a3ea643262ca1e1819

SHA256
de8447d34e4425bfd2d40f8fd7f994fa070736240743ef78aa2bc79dec827858

SHA512
fa03c059bd4c810c65a34b499a6f7ca21a27a8b6a936f2d8253b1a60c4b98335483f6ffd3a0bba7d3c88a2e3cced9fabd7284e97603c864f38a01a9c58a28077

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
96KB

MD5
f593424a8f0a7aa80179a52bdb2229fb

SHA1
0834d91afead1470ba861e91bc3fa4cfe4af8d16

SHA256
99d2b2c37909a1386bec8364574b5006f309c71c4f6c73ee32ce022b5e124447

SHA512
ed343908deb6a055009eeb34e51801c2fbfd45397c8ae5bd55dccf264b8b73352a240ef62f58da5b55a5575b952aa3aa2398f2fb06cb11a2b5c66bad7b9cdf62

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
96KB

MD5
02886a5ec1616259a01007afa113aa8a

SHA1
77a0f6571b71706aeda19cd1b43962401f5447a4

SHA256
0d6e55f4a741d881a45a79875685ea7bd5c8f3ba1cb871e31ed165030c917c0b

SHA512
8505b437b55c10df39df156ebd3a5934014fa23b3e466c343a729e67e4a8b25a0956d4ee16ea0ca77a4575b893df5a142ded1da05e1db963fecc77527840a584

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
96KB

MD5
1c25ddbd6ec775c0d99128f8e4876e80

SHA1
f9f6efe4a5dc2c6d622fb0c402c4590d1dba51e0

SHA256
267cb18dfb1ace511eb3d5cb526ac4dda0fb52c9039ac8068e4d0775dfc37f6f

SHA512
97db8fd6ae47ed6730c7ab773e91c851adccf7a292795378f1f7277afde4e73841787f8785a78fc8d54286f87451a63f5a7ba4e63750f3f5918b8d92336878d4

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
96KB

MD5
8b678896ca7f753af34b134663f6330e

SHA1
b18354c2a098470941259aaebcfe91c06297e1e5

SHA256
5356b1b99115d04691113cf54a3e7a9a45866d85191536a815c608957b411d9c

SHA512
0c20f04b30ed2cc5acbbea56736b4bc6ee5ca4323fd271c38802628e0893016bb1966fa295df80baa9a5986056d981c7682cdb72a957154b933e19b39038a3a7

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
96KB

MD5
26b94ac7fc195b4188f92f6e76f26913

SHA1
0e6394bca0558e3dfba7f0fe5d0f8c24725c21a8

SHA256
6189f4f0575ad5b49a064f7321b0b97542a3f5eaf0904e2f22a0bd440fe6cd7a

SHA512
7ac08d92b5c4f65b3126a1f02bb9a7b42fcfd853540a2b5206f300020e8deabdf92a39752c1b0418b896de2c90f98bc2802676a32adb084edca1ae8e5962c3f9

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
96KB

MD5
53984f4c58627db25d8ecf085ad398e5

SHA1
04d3f2b525e068f1855d17fbe0107467a9c6a0ce

SHA256
fc322391457f3d095a0320ef8562ab8cc94702c41096860e04e308b06a238f88

SHA512
3ef141d68f991cb3bcbea125c1c6360b46817e417144ff1673d7767357d129c7939b89d5ebeb4bfb130101036e62ef81cbb5d58b8a3f87541bd26f999d6cccf8

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
96KB

MD5
d2eb081bed1437f537633a1014994407

SHA1
ea23c162c5d61635a31c217cbf9de90665006004

SHA256
cf043a21fff63859c3b37574e033e755d17899f1ceac763b3315e7f313f93c23

SHA512
0da4fc55b625f4e53e15b5206871609bf7c14e4726997a4df5a5d45f981c205a443e03b13ba3b0914f0cd044da728da478e25c3a75f0bf84ca5b7bcbc87ce4a9

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
96KB

MD5
5d74c05ba3a856734db66323b0941912

SHA1
44af230f0f6bafee9ec510a77ba45e246dd255a4

SHA256
4e3cda17ebefe83bb7e3712a4319dddb5cb583110144ea6f20636cb37f08f1c1

SHA512
f51d472adabc84b098b86dc8da95afc9f2921c74c274e4e5cdf0727dcdb377685e702ef6d193cfe580057b33e7a9d22c0ccd40759c5449bf849f144dba647eec

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
96KB

MD5
e0ee8b1d782559c8f400475aa086aa25

SHA1
321dd36a48e0d9492d283fd562f1a763694f2a3a

SHA256
3df8700712501f2f9658ee20380611e3c3117243ae9bb925e5046a6ed8a6a933

SHA512
d09d1d24c7f2b618461ceed07c2aeb2d029cf86ee121c64be1a9c2a1578c7ace5296a8875c871eaa5d9e7252a61f72792de20e261aaa6fe65bc7211faa433100

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
96KB

MD5
2f5167d82923c5794c25332b0476a458

SHA1
26129d68ab0d56c38c1b02005dae2e15b86bfa00

SHA256
2943b816473ffabc6c0e60b125b39d8ebaca507e308d35d189bd29a81f824c6c

SHA512
2834d3064ddb465478e71e0fd0a6fb338ab5bb25c9ea2c8746be60b895fe3290e9fa5312b1c32c9d09275e64881a9412cfb65e62b037e683518ce6a521e14617

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
a8ceefba6f2e990acc655edc8fc84664

SHA1
e0dbe6a36fb99dad1f6eab24e01a00b72972592e

SHA256
04bbc58b621ba187e3719dc60edeb81a7a5a26c457e19efce94e67fd1b524af0

SHA512
3bec1a688bcb4ddd621d6e69c350136160aae6005ff6d0b50259ce50d24cd0a2b55a6bc4e11db270caf41882f3a85ade5939447efda025038c792af6b9ca9a05

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
96KB

MD5
fe611467cd58e47e52e49775701e214b

SHA1
d317b314d9940b49ff415c557ebd894b620db4fd

SHA256
ae052350074044ca26ba772483144fd353c0e87733629aaddd31ccf7923d9a7b

SHA512
f59a99b4a6f13ddb14635101f3b537f3fe97c50015756433a117212398a1b1129c383a82a197295d65afcf5f6f657306e6484166117a73ac7c37d6997c18a496

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
72384e3c0b78642a6ebe533734e2e3f0

SHA1
6b8be2b2bc2437c72c5c6c2c1dec88af6202f8e1

SHA256
c913d6c858a96b7d5fe5f5be1733019dd2c86baf6194eca7af156cc4d37a6a8c

SHA512
558f1e16172a5dbc106a3244a79cf22f5602178a099a6c41a09e917f17d4d668d75fba49eee9eb9472063212a76f59d491220772ffa872c4e16fa822509f84da

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
96KB

MD5
4e8a9ca08980b68def74697a7b842fc8

SHA1
3137d99e53e809870e70a7094535e68c7c659a65

SHA256
f3fbd67d18e0bfd65d037542aba5295fdecc47a7e890389ddb7b6592f5cc46c5

SHA512
beae39772d1d02754344ce9bb7a2014a21c118e68d730d52d8dede3026d1e2c43072c1a78c8881f68ca1059d66d4a4a47c0f5ed6773980c69deafd2c7ed7e657

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
96KB

MD5
6586b581df4e6e43c13f3bcddb7ba8dc

SHA1
13bfd2ac7f48135e0da566221cbea1b9ec9f4750

SHA256
7635c619615a0ca0b067ef939d6093810870b564497eac8b9bda0eb709632b80

SHA512
27df7e949cea881d585d7d3f9cc418c8f0a164c2c2eb70d08aefc7928be3ab17c604acf5614d05ff32252438f06e7fcbfd81c6b0b76ca0d006d5d28d277c3408

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
822e778dfc438182f75ba068d8f3f583

SHA1
071ed219dcfcdd36d7b8cdeee54d9d26a52d617f

SHA256
1a80b1ac28a3715e0eb1afcd71891ed752187d86b164ad626c6efac34afceede

SHA512
181cc89d8266aaf41ed5922475f62779b6f02368cb7883f91ef4617e58c3c2f7566b91383f05872d627552e9d038777096f81e244e1cf28435c55a8bdbbdb068

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
de02e4bc33f730b7b4530c42bc7e65b4

SHA1
44f76f0530a71408a5767cf62e282ca2e2199573

SHA256
2f2ead449d9efb18b035074363b3814c329cc0ca13b9b06d2bd6d4155902132f

SHA512
d7a316617fc9028ea94b2b1445bcd25cf33b4a04533de415dec6b8c550b258810647b594d151bf148805697d2f752524d1df17fdf4f183327b9e4fc056571236

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
57644c0278275aaf8a729c5d0b9136b2

SHA1
7706ff19036eb461454d678454286c472d37bf72

SHA256
84e104aac0b05824b933b46a90459fd92631d4b34e17f0c28c07ba6a9d807723

SHA512
754fc326b28b047b94f862dd7336093ee0bf5f38e12c232da785d71d6d683c90ffd91781ed35f70a5e68f195828bea703a3b5271175cc062cc11881f105a4107

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
96KB

MD5
c9a02de8babf2aa092cbca2326ceb25a

SHA1
31ecd26cd58dc98c0f3aea48d8c12eb101fcc881

SHA256
fd89c222b391f4f6759d96c414a295ac7df43752865fe5607ab2d4b6b3e63375

SHA512
8dc6ddcbe2216cb0e3df68bd919b6111b376dba0066a802ea27dee8af802f6b776499b749cf2f69cd29dbce2e19df0ff38b28c60602ff034c4478d8532065e38

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
abc974e768ac752099922cba259c250b

SHA1
35951a8120a4439465b743ad618aa01c782caaec

SHA256
dab98a4c7a53183f0cb6c25b33f409d9dc23bc2540986a61023f1bc74c9558ea

SHA512
9f92a40832b74d9e00a6d76cf8f21830566d437851e9cf083c83ae6ce02dc9f0699f833d676103c75410d37def0e17b605ccc5a187ae7780bfb507c36303d2f7

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
723033216b635a08af842aeeb7fd306b

SHA1
bc00f537073ab9440701b3cae403460fe7e640b4

SHA256
6f4ebe5b05d54cfb316171e4a9e1a0c2123a64b00d17e25c902d974995670022

SHA512
3b58d22a483df648837f04448affe7051d2c5f75c047066eba24aa49602dd524ec5d85ce58d82be3f36866c7667cc05ea6652ddc552a62f858987f1ceea474de

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
13b7a1cc7a2c5799ea39c29d19f1e620

SHA1
480a8ecab2ee781d186e9add7ab07547e66873e1

SHA256
d15a413f19ebb8fa2b8caefb10d709b3ea37169bf3b7685aa5bf74d3a9c25111

SHA512
331f10a4a11c92f46ca7c36697998e06cb2ff9a108c594d3189479da6afc40aaca888227f1c5dc160dcaca6e1024a72130da2b41fc1920f6e28f3ae32d8b51e6

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
296ab5a372c3ba7cd7a8c24dcc738d40

SHA1
63d84c629f06e4b9315b4c25f61f53d869965bb8

SHA256
aaa31fb7661ad5c4f2a90d718703289a7a8b97b9b1bcdd5733c628f45c6e1522

SHA512
fe121240ef519cc38a9b45d51b5a42d43a69a810aef142db98e20d5aca86ad2794cca9c7fc9b801b773af85b28fc8b90bb95602249bb8d5357c91c72b31abd32

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
0ace502db3c13deb665bf4ed3140a962

SHA1
f6d4b13956c9871a3c269fc1405b357f76ca5ecc

SHA256
79dd9327b72ec98febe8d939943f902e6f75b3bb70dad44022470cb521545d21

SHA512
c5dddc237ef6055b46337ca5fcfbb44e7d726e8c8f41b87744c84e5d60b396aee1bbc1a084dca0c7e9b592da2860ff37430cd767e82742ad0821b9b5f56c9080

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
f322d574171dc18f8edde0d5027efdef

SHA1
0f425ceafb455231a370931193b266c9d957cf9c

SHA256
a5683ef9ab113d98fe6b3debb0437c67ce636a64ad9e752a2af29bd4374a4813

SHA512
5362dc52dfb47b42172cefee9d0007146963b6a93334770a9ef0c3d3ac128dabeb83616c34cbd4b82ebb1bdfc20a2de5a1e30f82043902fe5a6c42b04fc66601

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
aefe2d360b0337327b651cd26dac45b1

SHA1
a9171369611da3bca4917e4e03ac1e96de948864

SHA256
b5761ac386b8abc1ce15b8f650cdbf369e70d5ba3dc170260706c183aa9e9dcc

SHA512
602ee10ade57d434b8270b6380788f59328cf704b851c6fb91d74debc9cfa81f05ed3f2d0eca82dbacefd4b45026dc7e5021fd821e7421b0201f786e16d2ab41

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
8ff9e8e48204c184ad9e3c8e3bce56fa

SHA1
312725c8885458911ef199174d9762268ab5973e

SHA256
5f4aee6db9f1bb2e7769d4cc44aa81b744e11f9d5e9f59ab613b250463617e39

SHA512
049cd8d22a55cfbc7b49c1044fba76515d07abb105077906bfbc569bde5e60c05d7e00a3fd9212e4e6a78a456b758681885c11662df3cd2d50e8821a89aa9fd9

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
a566efaa3bd033dd4b17ff4837757363

SHA1
237aee6001b86732d0fbb992eade51696d1aa0b0

SHA256
eebad1b90784fd82996e88a83a5cd6381f216d3f6ac23710c94b34a09e6fa03f

SHA512
0069554a514bfb8fe00f15838a024a851a56b1671479eff920bf7bd8abc44c9dad81b5dc23548b9068fb041d1475a6cadb679e3c783fa5b9ed36e51bd2dc5bc6

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
af5c309f123c13f72ddeb0e2f53900dc

SHA1
c0532d750fd100a1275bfac633f2ff2893a9bcd8

SHA256
e9799ccc5c0f0f332d789441eee507f9db70b445dbec0723e6ccc101133620f6

SHA512
246251f96fa99c393c990295882dbee65b603af551721784237683ddd5eadbc3ebe4e75ae2b890e501d0760601c0d9b7d1ac49d25b08a20aea9b5d4a97fea6d9

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
e5211c9eafb9257815f7b6b968057cc5

SHA1
5514672dc70744342978ded207ce297c924a2481

SHA256
fb6159ef5077a7cbf7063f783559ad5b214cfe10bef5c5481e53ae66b86791c2

SHA512
0fbfc6f18470a049d475146aea93ca0f01e8fce4f33cf35385559f5976d5488d4cb2d91e3d914b228c11bccb1a357fe4740babf0df53c5ace90bf338cbcd4f0b

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
c1d584c5479b97b4738bd2dab9596d72

SHA1
7875b6a75bba81521c18ff0fa00773c25077efde

SHA256
f492a1c1c290ff8c3c5dd83afbe9089e885953a4cd46ef81996c66b78df30690

SHA512
1cb3ad83b2b1ed3d45a72dc207fd1137a9a3fbd2742b1ad53ba76140c108fd585f42bbd1531070c08491d4f280acae901359d7dd9c20f2c9a5fbbd4cfd9e08fb

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
b43e6b16b4ba41967cd280c535b50369

SHA1
4be1ee2c8da0b61f564d61e26ea8246e0a992a89

SHA256
852f26133fd9bb249ea7e0b4531f671c65a8d5b391c04fa22c1c5bb2b7c44ac7

SHA512
e43ed1e82a0358317ed51601f358f415f275e31b5d2dd96da63136add67202e519bc27a55d0604bc96bbaccf60cbe1abc071cb21fe788aea402a5ee63bdd7f46

Download Submit
memory/220-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1304-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-1382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-1375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-1370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6608-1282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6652-1281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6872-1271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6916-1270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads