220dacd578bbbf4f3beab53cf667a173283de26817591fb18f6e2cc179361d75

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8e32e6697eb71cd3a78552833b27b0N.exe
Size

128KB
MD5

9d8e32e6697eb71cd3a78552833b27b0
SHA1

29dddc46fa8e78f7e83989ee2eacec25deae5086
SHA256

220dacd578bbbf4f3beab53cf667a173283de26817591fb18f6e2cc179361d75
SHA512

0ca1fe36056ee5d63ca8e894f061f2e3bac78ac69773f7cb7da39b0ad166175ae57bc0038ce59088300e998a149c6cec8cd276cf88f166b7a7eac4264ff57f03
SSDEEP

3072:/vJWevnGdRnb0JFIp+5pAmeW3FQo7fnEBctcp:3JBedRYJFIO573FF7fPtc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mekdffee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgapmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpnde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccokj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apimodmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe

Executes dropped EXE 64 IoCs

pid	Process
4752	Fcekfnkb.exe
4748	Fnjocf32.exe
3528	Fqikob32.exe
1768	Gnmlhf32.exe
4360	Gqkhda32.exe
4988	Gcjdam32.exe
1340	Gkalbj32.exe
908	Gclafmej.exe
2828	Gnaecedp.exe
408	Gcnnllcg.exe
1412	Gjhfif32.exe
3052	Gdnjfojj.exe
2932	Gkhbbi32.exe
3020	Hqdkkp32.exe
1196	Hkjohi32.exe
4056	Hjmodffo.exe
4448	Hqghqpnl.exe
2160	Hgapmj32.exe
1932	Hnkhjdle.exe
3296	Heepfn32.exe
4908	Ibpgqa32.exe
5104	Iencmm32.exe
4312	Ilhkigcd.exe
4060	Ibbcfa32.exe
2476	Ieqpbm32.exe
3104	Ilkhog32.exe
1564	Inidkb32.exe
2928	Ihaidhgf.exe
3988	Inkaqb32.exe
724	Ieeimlep.exe
4128	Ijbbfc32.exe
4040	Jaljbmkd.exe
4192	Jlanpfkj.exe
3556	Jnpjlajn.exe
5004	Jejbhk32.exe
1216	Jldkeeig.exe
5052	Jnbgaa32.exe
2036	Jaqcnl32.exe
4952	Jdopjh32.exe
2452	Jlfhke32.exe
4556	Jnedgq32.exe
1400	Jeolckne.exe
4500	Jdalog32.exe
1740	Jjkdlall.exe
4872	Jaemilci.exe
3360	Jhoeef32.exe
3080	Koimbpbc.exe
4920	Keceoj32.exe
3640	Kkpnga32.exe
1192	Kbgfhnhi.exe
3740	Kdhbpf32.exe
4268	Kkbkmqed.exe
2424	Kalcik32.exe
4456	Kdkoef32.exe
2244	Kopcbo32.exe
2768	Kdmlkfjb.exe
4816	Kkgdhp32.exe
3508	Kemhei32.exe
840	Khkdad32.exe
1332	Loemnnhe.exe
1512	Lacijjgi.exe
4488	Llimgb32.exe
3820	Logicn32.exe
3504	Lbcedmnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ibbcfa32.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pecpknke.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Llpchaqg.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ollljmhg.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Dffdcecg.dll	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Ilhkigcd.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Abggif32.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bmagch32.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	9d8e32e6697eb71cd3a78552833b27b0N.exe
File created	C:\Windows\SysWOW64\Dbmoak32.dll	Ibpgqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mlbpma32.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Amkabind.exe	Acbmjcgd.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Afceko32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hjmodffo.exe
File created	C:\Windows\SysWOW64\Ldnemdgd.dll	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Nfiagd32.exe
File opened for modification	C:\Windows\SysWOW64\Oloipmfd.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgahag.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ldhopqko.dll	Beoimjce.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Kkbkmqed.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Kopcbo32.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Nfnjbdep.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Bfoegm32.exe	Bpemkcck.exe
File opened for modification	C:\Windows\SysWOW64\Cdebfago.exe	Bfabmmhe.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Afeban32.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bmagch32.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Qbddhbhn.dll	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Mlgjhp32.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Oahmla32.dll	Acbmjcgd.exe
File opened for modification	C:\Windows\SysWOW64\Obkahddl.exe	Oomelheh.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Gjhfif32.exe	Gcnnllcg.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Ndidna32.exe
File opened for modification	C:\Windows\SysWOW64\Iencmm32.exe	Ibpgqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jnedgq32.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Abgjkpll.exe
File opened for modification	C:\Windows\SysWOW64\Moefdljc.exe	Mlgjhp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7144	6808	WerFault.exe	270

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqdkkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhkigcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkalbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbmjcgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjhfif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpemkcck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amkabind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abggif32.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffdcecg.dll"	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcfkpjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjicah32.dll"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfidek32.dll"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobepglo.dll"	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqdkkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbqmiln.dll"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobkem32.dll"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pbimjb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4752	1280	9d8e32e6697eb71cd3a78552833b27b0N.exe	90
PID 1280 wrote to memory of 4752	1280	9d8e32e6697eb71cd3a78552833b27b0N.exe	90
PID 1280 wrote to memory of 4752	1280	9d8e32e6697eb71cd3a78552833b27b0N.exe	90
PID 4752 wrote to memory of 4748	4752	Fcekfnkb.exe	91
PID 4752 wrote to memory of 4748	4752	Fcekfnkb.exe	91
PID 4752 wrote to memory of 4748	4752	Fcekfnkb.exe	91
PID 4748 wrote to memory of 3528	4748	Fnjocf32.exe	92
PID 4748 wrote to memory of 3528	4748	Fnjocf32.exe	92
PID 4748 wrote to memory of 3528	4748	Fnjocf32.exe	92
PID 3528 wrote to memory of 1768	3528	Fqikob32.exe	93
PID 3528 wrote to memory of 1768	3528	Fqikob32.exe	93
PID 3528 wrote to memory of 1768	3528	Fqikob32.exe	93
PID 1768 wrote to memory of 4360	1768	Gnmlhf32.exe	94
PID 1768 wrote to memory of 4360	1768	Gnmlhf32.exe	94
PID 1768 wrote to memory of 4360	1768	Gnmlhf32.exe	94
PID 4360 wrote to memory of 4988	4360	Gqkhda32.exe	95
PID 4360 wrote to memory of 4988	4360	Gqkhda32.exe	95
PID 4360 wrote to memory of 4988	4360	Gqkhda32.exe	95
PID 4988 wrote to memory of 1340	4988	Gcjdam32.exe	97
PID 4988 wrote to memory of 1340	4988	Gcjdam32.exe	97
PID 4988 wrote to memory of 1340	4988	Gcjdam32.exe	97
PID 1340 wrote to memory of 908	1340	Gkalbj32.exe	98
PID 1340 wrote to memory of 908	1340	Gkalbj32.exe	98
PID 1340 wrote to memory of 908	1340	Gkalbj32.exe	98
PID 908 wrote to memory of 2828	908	Gclafmej.exe	99
PID 908 wrote to memory of 2828	908	Gclafmej.exe	99
PID 908 wrote to memory of 2828	908	Gclafmej.exe	99
PID 2828 wrote to memory of 408	2828	Gnaecedp.exe	100
PID 2828 wrote to memory of 408	2828	Gnaecedp.exe	100
PID 2828 wrote to memory of 408	2828	Gnaecedp.exe	100
PID 408 wrote to memory of 1412	408	Gcnnllcg.exe	102
PID 408 wrote to memory of 1412	408	Gcnnllcg.exe	102
PID 408 wrote to memory of 1412	408	Gcnnllcg.exe	102
PID 1412 wrote to memory of 3052	1412	Gjhfif32.exe	103
PID 1412 wrote to memory of 3052	1412	Gjhfif32.exe	103
PID 1412 wrote to memory of 3052	1412	Gjhfif32.exe	103
PID 3052 wrote to memory of 2932	3052	Gdnjfojj.exe	104
PID 3052 wrote to memory of 2932	3052	Gdnjfojj.exe	104
PID 3052 wrote to memory of 2932	3052	Gdnjfojj.exe	104
PID 2932 wrote to memory of 3020	2932	Gkhbbi32.exe	105
PID 2932 wrote to memory of 3020	2932	Gkhbbi32.exe	105
PID 2932 wrote to memory of 3020	2932	Gkhbbi32.exe	105
PID 3020 wrote to memory of 1196	3020	Hqdkkp32.exe	106
PID 3020 wrote to memory of 1196	3020	Hqdkkp32.exe	106
PID 3020 wrote to memory of 1196	3020	Hqdkkp32.exe	106
PID 1196 wrote to memory of 4056	1196	Hkjohi32.exe	108
PID 1196 wrote to memory of 4056	1196	Hkjohi32.exe	108
PID 1196 wrote to memory of 4056	1196	Hkjohi32.exe	108
PID 4056 wrote to memory of 4448	4056	Hjmodffo.exe	109
PID 4056 wrote to memory of 4448	4056	Hjmodffo.exe	109
PID 4056 wrote to memory of 4448	4056	Hjmodffo.exe	109
PID 4448 wrote to memory of 2160	4448	Hqghqpnl.exe	110
PID 4448 wrote to memory of 2160	4448	Hqghqpnl.exe	110
PID 4448 wrote to memory of 2160	4448	Hqghqpnl.exe	110
PID 2160 wrote to memory of 1932	2160	Hgapmj32.exe	111
PID 2160 wrote to memory of 1932	2160	Hgapmj32.exe	111
PID 2160 wrote to memory of 1932	2160	Hgapmj32.exe	111
PID 1932 wrote to memory of 3296	1932	Hnkhjdle.exe	112
PID 1932 wrote to memory of 3296	1932	Hnkhjdle.exe	112
PID 1932 wrote to memory of 3296	1932	Hnkhjdle.exe	112
PID 3296 wrote to memory of 4908	3296	Heepfn32.exe	113
PID 3296 wrote to memory of 4908	3296	Heepfn32.exe	113
PID 3296 wrote to memory of 4908	3296	Heepfn32.exe	113
PID 4908 wrote to memory of 5104	4908	Ibpgqa32.exe	114

C:\Users\Admin\AppData\Local\Temp\9d8e32e6697eb71cd3a78552833b27b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9d8e32e6697eb71cd3a78552833b27b0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\Fcekfnkb.exe
  C:\Windows\system32\Fcekfnkb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Fnjocf32.exe
    C:\Windows\system32\Fnjocf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\Fqikob32.exe
      C:\Windows\system32\Fqikob32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        29⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        32⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        33⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        50⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        54⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        55⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        56⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        60⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        61⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        65⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        67⤵
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        68⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        72⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        78⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        80⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        83⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        84⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        94⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        95⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        102⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        108⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        110⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        111⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        112⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        115⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        119⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        121⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        122⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        123⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        126⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        130⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        133⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        134⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        135⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        137⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        139⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        143⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        149⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        152⤵
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        156⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        158⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        163⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        165⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        166⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        167⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        168⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        169⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        172⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        173⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232
        174⤵
        Program crash
        
        PID:7144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6808 -ip 6808
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcja32.exe

Filesize
128KB

MD5
7b66e65ae342486ece324b6a1f95feb0

SHA1
f481978d239f39d0bf1c284ee16c86ebae8cf7ca

SHA256
8b7b6c44cce6d38f81602c93088d224f5af21e3e598c133bb3ddca743c9a1d22

SHA512
ae2f5d92066159b1c5c6f57ddd0df5d41afbca37caeee09160ce9e7f0582093a0072eb36d8d19323b38ff5777615526fa911c81b437ab0f821863775ab7c2aad

Download Submit
C:\Windows\SysWOW64\Afceko32.exe

Filesize
128KB

MD5
eb1e004c1b597869f16470099a1017fe

SHA1
71f67c2be929c89156723001c9aa7ad238219399

SHA256
29bff2f76ef768207d63a6a22142b8676ec11af2203b77f0b3fe32dc4b70fb78

SHA512
7a5e17efa7ae51a0edb719c74535fc80a19a3a0281ce3727da6d88c31deda923a96a1ba50847df19588840432f0dcab48f6f3e228c8229882655393a47ef9355

Download Submit
C:\Windows\SysWOW64\Bfoegm32.exe

Filesize
128KB

MD5
e64fabec67199fdf49e9e65582ae6aa6

SHA1
3cf456f9e2991a8146db043b4bd4285874dd7dcf

SHA256
2fa6b0c95e8d5be0c3da99aa8dc67551ed92ed68e3a33d2281279e60105d6ec4

SHA512
daf070c7501ab680614e6d7d2f7a6bc35d4bc92e30ceac78ffc96160482e3692270f0666d55fbc1e90a84b2085d27bfca6a27690f2b5204e5f2ecfe6e543f2ca

Download Submit
C:\Windows\SysWOW64\Cibkohef.exe

Filesize
128KB

MD5
eb22045f2faa20ed622875cfda9628dd

SHA1
2163017fc0bd76458493ee01de56eeffac157919

SHA256
4a40919869ae3e0f158e5daf84638b70014bcf7436632bb37870236cfe05dd16

SHA512
74074df9feebacb8ed0eb6597948c130c493577af0b17cfc526d5a1fbb5875e8319312363334f90eeb507b89b01a63db10d96222d133670ea30e45959ad0d165

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
128KB

MD5
595e9e78e56d324d950c8f16acd680b5

SHA1
14a0b33cb17dbb5fd669b88a1c0f4033e05b3a18

SHA256
b1ce8fbfd6e3577d3dcad434b51f414e5c1703ef1c174cd5e286d9680533b67e

SHA512
865162c0985c5871b3fa2ddaef43fe9c8c069658e539ce2b50c7a375cc9d8de630b779d4f55918c5125daa70da8bc649db5f3f5ed977c82dff0a3fdf5f3c9c21

Download Submit
C:\Windows\SysWOW64\Cmpcdfll.exe

Filesize
128KB

MD5
f8e8b6543f31aa89051587ddd2729bfa

SHA1
0c6d829a7c1d77a462b9180c75e3a46843b983de

SHA256
79733c9c1a05af284272d214ab8035f463cf2ac428eb3da193f0068817dc5363

SHA512
bcff978f59b9cad0971c6137d1b3a54002d9ff27c414d79225a02d4b6f4483d118d79043277c60752b43cf46990fe9c6c06720129c6595921ec42010b4545e56

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
128KB

MD5
c40bfa05c976647b944694bb11190fde

SHA1
143c97cdfcbf1966c544fc836ca115b3aaaf7d30

SHA256
30f5633b126a4213e426b54f56a37ad32a2f0d795a2f1c202da07ec7979b1979

SHA512
2dbcc69e54a1c966c6ae64868bf9248b9e26b1533cceb8a369673b694b7c93219187a7f6db66ca6b725df5f8651675be04d254655cb24a7831bb00d8eaa5386d

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
128KB

MD5
42643213a29597c0c0c1466230cb08c7

SHA1
28770495bf90b0c50144b512bcaee1a0763efaf3

SHA256
590aa6aa40973b0d68029a30f9219cad54041b31002a3748ba1318fe2d61cc47

SHA512
2dcbd5b52e733399ecdfb06541bf338859433bacd4974a2a9219206e51cceed8d7dcdb6f599083e4f298dcb263d33594166f09c41b33e0c04581dcbf26c7d8cc

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
128KB

MD5
1bfa268c3159fd0a5a37033e921e42c9

SHA1
6143aee24e4813a53b5c9f1eb61deef6981f1694

SHA256
d3508424b916d4bf2a95fefc454babb173ebc71ab04328276e7f6701c79eb1f1

SHA512
44276953dd7e93a7620f9c408f06fc138a54e7b1ad87639a168e2d632a26bd8a3edfc4b01e0a6611714a59a8f970b01eb4a26132b9edbed2cce5e893693f89ea

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
128KB

MD5
fc615c3d011b0b69cb6a7caa10fadb54

SHA1
7e7b66e0e6e1c5d888e58623fd36cddeca8f5033

SHA256
8ce72b848c8d5e8c0e82c481d25e8bdbfe723c6c7f610af946ef08d7f56f345b

SHA512
65a97e343d83a8d11c454933b05dbbf0844ce56fd1ce954c495fee9394455178ff316a3fedfd7c5d70867499580c6a1424d91e9e728deb76211716fb7ef37324

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
128KB

MD5
1ef637625e16e4b9bb23c4f985180024

SHA1
3956b64bd458dcd4336567e8d1fcaed68dc358c4

SHA256
7904e1f2885b2bf191e9dc84c0fd3691c2099e05b7a4f52322c65ecbdcda7284

SHA512
3d0c1a2aa601ad646af925dc3fc6c92909f82bd6d4790ba7cbb57811ec2adef393b8027fca610f86626fb6c97e0fce7ad712a806220eb0dac87c763801a85a95

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
128KB

MD5
929d6c46e68d6bdfc8bfeb30975262a4

SHA1
1293212800c05b5bbc4f0a15506b1610d98cf512

SHA256
aed49c3754059c4cadb5490340e1a6485a1318f7391a8bc0c3eeb888210eeb9d

SHA512
a6c82eeab44fd50eda68342282598cf9d2ddcb58d3dde68de895d232769b01de10e18e541be2cc85bf4df4731c205e36dad29e997f8008c46d71ccf50265ab2c

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
128KB

MD5
d7f9c66eb07fec65d1db200c6c67e32b

SHA1
34f25aa2bb64dd2118084fa42380cf78d188ca46

SHA256
a845dc4a54dafeb16423256dfd43c59e103dce9c22477f9bc9e239c6c11921c9

SHA512
923c798a0a73053a123af03cbc631701d22be748a5b4ae395d04e00641f78e12542c5aa37bfecd6dfe944b9a47df78b3457db344839a5a978d3dffe9647f6034

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
128KB

MD5
b3401f69129a0df358280b6be10d7ced

SHA1
ecbff16ea62f57bb1adc405f4b4dab6de35bc15a

SHA256
38bc66971996a0697fc6eae8b0e5ac871888ecb3ce29ad14c6fa3902b6bae706

SHA512
a6a2e43fff4e6da7dc6f7bfc41d66b3f3aca0211f468ecac9a36d4a46993d11daee27d3fa58fded2ca446623b3d4eded96455df1c85140e0c248b4777a2a8000

Download Submit
C:\Windows\SysWOW64\Gdnjfojj.exe

Filesize
128KB

MD5
3daae99e7188f9c8b563a7fd77fd366f

SHA1
909c12e2f52576e610759dcbe2bd415fc73f89ba

SHA256
e09173e904d4324713f13a9ffe1fb9f6229856081606b931d2aca0c6968b041f

SHA512
e87150eef11c3141f68a43dcd06a2ccd16d14e59c92e2f21a430d7f25f1230c0836db29788c32b8bc6273f8253c3fed4dce2076009df9fe03bbe821ddaadedc9

Download Submit
C:\Windows\SysWOW64\Gjhfif32.exe

Filesize
128KB

MD5
cca58f317229de388713fe5a7faa499b

SHA1
f4ac0fa223b61c529e64aeca012082e915816e31

SHA256
30e35438e1c93416915520ad39e183ff61b946ebf24afdf4ed05bbc314f89209

SHA512
c2e1e41e3fb59a67c8126e2baa525dd9a2b44136fbfbcdcba2bb83b674af11159bd42543f0b2c07ecd866d000e5d41f51c656bbfad92649681e9f788228b9ca2

Download Submit
C:\Windows\SysWOW64\Gkalbj32.exe

Filesize
128KB

MD5
e4a3dc38b445e2946cc4456e2bc139f4

SHA1
236085d39d33ad03a638ede5d9098bab161f5fb6

SHA256
6955065a7ce6b21c9e39ec9943bdcec00416de47c3756e515656189b261d2dcf

SHA512
6bf30a40c82838933e569b0726bd4f9730e9981a0e9d53eb3c62e5f8f7b1cf2edd7d5e87e509e1c30dc33cd111d9a26e3b6dae3e00dbf4155fca096e5a9cf838

Download Submit
C:\Windows\SysWOW64\Gkhbbi32.exe

Filesize
128KB

MD5
063bb5e68eca6802d5632c7667fe6d5c

SHA1
e7c91dd1bee4923c98972e583c2c171f763e101c

SHA256
239ef5194c2b808c865eca8751bcf4299178d8bc4ffef9d8518c35caef417c37

SHA512
55945453e94ee93b7f4f6870cc8690c0392a38d0d72d219d1dd64dccb3f79d17dbaf3939bea71cd279af11508b7dc00780d621c8689f64445db86abd9b851d90

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
128KB

MD5
2e38b46592d22b9630bf9f8109636fdf

SHA1
4b910db1ea0ed096da79cbae55c090fd2bdc465e

SHA256
53e5f5bb7dd9f50b8f478bd8a337ba5a951cc7066ea60b1c17a512b1218097ea

SHA512
dd95d3514e1ef351583fa5082708dfdaead7035c65e971e5bee051e872b0046247a8e9e62da4b11738b6d7f46548a4608492d8241b55f60751f4581806737e54

Download Submit
C:\Windows\SysWOW64\Gnmlhf32.exe

Filesize
128KB

MD5
f8a638b108966de26489ad004362272c

SHA1
5712e264517d94a3b0d18cb7becf3408f278afc4

SHA256
5f03b9b3c2d038a6a9fdd3b71f3c0981343f2d7a56bf932aa09814ca775ecf49

SHA512
58be26ecfe5c4c47b65e486c78a6ab29e8e88d89e9527740270be8d8713a626eb91845d0cea7a579a508c7bc03ba158efbbf8ec3a6719ad25030c3e4f55b7f76

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
128KB

MD5
c78a9cc1d70a961ca6c234197e43710d

SHA1
889800e91cd7725b0a562d2d66355c829cbce8d0

SHA256
12fc43a672d60f8e258e89f570967b07660ab6a51d29117c393e36e8f3ba6be2

SHA512
fb909117574c2e7ab7cdf3e9f3446fae6c5e876ed61d93abf90e8b4216536110bfbd292961e3c0924b89a5cbdc6c1c20a6ea65d70603312ec83eaa50dbe582b3

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
128KB

MD5
96b8585cc1ac714c378f17922129b4b3

SHA1
7c365670934c31a3aae935c665364c9bb30b2fe7

SHA256
29ad2928e8a2a465b29c54a83e80c0fdc4bfdfe5d3892c55c60abbb02ef774a3

SHA512
1571a715542ea5710142b9523643dbba1825324a48c2ef10af2982f067328db020ecde84a170a4bb286bda751a1944c655f0656e1a31570b329c6f0f733ca5a6

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
128KB

MD5
066088e040470587be9399a1106c3a3c

SHA1
020c9c49ce9296b2f0f3ae2d87c1dfbaa3202251

SHA256
95b3a435d90aa2885bb18f2e0d1a0b750e808b7cf5bbbda935be565b7a9b7296

SHA512
b82338767c4f1e9c934553febbf3d19b19475ea6528e2fafb3a616080391f01020de9139d7e69234187f4a376827fa35055581fbb335fcdc707bff4979c65dec

Download Submit
C:\Windows\SysWOW64\Hjmodffo.exe

Filesize
128KB

MD5
1d208299f93d5c3a4255e5750e3aab1e

SHA1
39c4fb79bcc2a5353200dd719e4149013899c0c1

SHA256
dacc45b1d9d26267426781cba45e27e68b08eb5db58b673f40afe645392cedc7

SHA512
be4dcb3fad51763780a62e7565022aa90c79736dda189ae4fa808c952cb6e0848f90efc7cd13d0e72523c640601c429feeb47bebea4389335a0237f001b60f92

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
128KB

MD5
9a7beca81dca87c1e83c6be08314e391

SHA1
30581a2149a4305253af034f48fba52bce400b41

SHA256
9d4eb7086bd85aa1bb309d415d51aa3e4eee6e891e1c487d8de0399292d8df1e

SHA512
3d571dcf564707636a15b048a6f4f7d7010fc7846c65d14ab63bb4a791ba098b6663d323c1baede243411f7a499e680cca5db27fefaa01f96cfc66eacf235bfe

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
128KB

MD5
d6a5afa8c0701d3d6169bad9504c057c

SHA1
cb414b4cfe772e8453e29bb5873e21d3788d4413

SHA256
556f0bc994920f31ea3ba3eacf4b31be1ff49fc573037eb124b8b6f74117a53b

SHA512
ba066b3c9317328a5fe6ac4b5282ec12a8d05e6c500447ba001fc3455922754741ca08e4ca038904629d38d2fb69f15e0a878cf078d4f88808322addf6caa960

Download Submit
C:\Windows\SysWOW64\Hqdkkp32.exe

Filesize
128KB

MD5
7e685186892de70b9f18719a83adc1a4

SHA1
e6ef9afe3b9f3570763d21f32370a4979822b296

SHA256
89265888e7b6940099599a58493a6e221ccf78267729aeb21a85d0737b5acace

SHA512
725125947ee1cabad88cf2cf08d52b695a21102042db395ed3ec75c2298954956a3123b7f7ede87b23ac5b661e27cd7b7cced07cdc2331f70c1ff5d32af77b08

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
128KB

MD5
cb440d387cf8d373d1a049eb9fc23e26

SHA1
cd2e50245418b30c480c1370bf03fbd2bb605709

SHA256
1cad763b756fd7a763c001b87ba47e2bcf547b819d2178b137ae07e85b6595f3

SHA512
04f801b4a4bc3bb1eef6a18d59d95ea00ee725dfffa20b9ab427feed6803e21177eab3d049f7a9f589985163f8bff8054bffcf8af9ecae51ba21f4ab2c8f985d

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
128KB

MD5
0277d5c755596daec78f0b4620dca52a

SHA1
78ba8b4d3455e4289046ea1d4e4188a1681d8b8a

SHA256
d8bc37e335beff5e20409b8214f8f3aab65e867511c9e929db58a150428f4178

SHA512
ec442d8e32081099e92b53138b1e9be6ff72eb2fa82420ddde676d4371e981dbc63ba482dc885932ad68ba54e5fa88ea9b3ff4bf1816b0ba15a538e7fd621695

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
128KB

MD5
0dd016a6267dbfdeeb7fb34f3bbd2ca1

SHA1
95b92a59dc3ab192d659200919324d4f52bf87fe

SHA256
d01b3dc3bfa46326c70535290a5cacd54f4576c1f45a0cb64a738bc603eb46f4

SHA512
3b3ed933173ad0c03d4aec4797c2be919abb1b20bf6e3e25c88e17402b8599fa5f2fdc1951e9c80ba80d4cfca5f6fbc235f96db8d41f5ed18d7528cba4326ef9

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
128KB

MD5
b6408bd89f5f3a945be8213cfb1f7eba

SHA1
5945a234e0efcfde420c82f6e831703ab2f68bd6

SHA256
179e1e2f7dc7e92409bed4cef758ce999b50c24bdcdb284bc94b01b2d65f6da8

SHA512
afcfdcf2125c27a19e05255fe276a0a6db61b1814b89bc11da299df214e60214356824df3eca1484a8575a89234acdc20cc575884abb5a02b42d923c471c4bbc

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
128KB

MD5
fe5895eda0a2687c9b2bffd9643cd3f1

SHA1
fce6a777936e36d40c91bf7365586b9b99bc433a

SHA256
33f89d9ea140dba5c421592b32742ac3083e6e33bbdd2634a2c82eaca303a652

SHA512
80821e0372e16b825edbeb8a462694efc08707fc9ec19d5b1546ff5d193c14e4c500ce1aa29ef9fbe965a5334cc495f97400a2f3ae68469091d254f15ebbcd0d

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
128KB

MD5
0fd9a0b8c4b8073b4149f9ce86bb9b21

SHA1
8a6515abe7dd4b6329033b1ef57e888212fe91c8

SHA256
ac04935610c4cdbebba1b6edce968033b5cec74c6d1ea906f32a652fac0db235

SHA512
6d7957741adfdd970fafcb7b67d66813392bff03ff5f6d2b6e343011d7c9a5cc03430d2dea601d4c8a4a43cae02aa2b3583d3be557497646783be0beaa98fd30

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
128KB

MD5
b115b4dd1b75b3d2125d8129e863f1c4

SHA1
6aed68d3e850e1dabc1888c8d6bb7b4946276a33

SHA256
dbfe852602d487d31243b0794c5ad97c77a0e2ca773b7514581c43512105b9f9

SHA512
33e6b723b756449186690d32d28e3e8de26437ed2f5154788b10d8aae6221931c7cf300e405c92258ae849dda89a513e37f42888158cdef366da4578da189b7d

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
128KB

MD5
5366917b12c87b44c2ff8a7239d0efee

SHA1
d753546dba06f7c4a9ed7af7913ef12799efe536

SHA256
455c33334fb484bb70cf2d964041b870b0b61938cc3c31103d5b5b8b60892cf9

SHA512
07014628bbb367b24e39f802729212af1e530d21c72605034b400ea3073eaebfe049acc65a09dd189d3653d48fbab81c7d8b671ab1c4b866bed3ba1b1b932cb8

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
128KB

MD5
9858a4b204221308e9e07e9707f39206

SHA1
b752e85fbf35d995c6922911de971fd1e811d68b

SHA256
3e962ecf45e1ab3395f5c1907dde29c7e691e16abf9411922333bd1573b5d3f6

SHA512
7e38dc912c98dce2ea20f6ed9c59d7a37dd13d48caebf40c442b791d47eed13d749f3a7fe51b6a4e468a992b12a7b3cbc314a34bcd95e61ace4d610739fb8281

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
128KB

MD5
78b26326b52e9e6bebd04139e4a21486

SHA1
cfdeefef35e91cde56d08fa9aaf1d65ddf70a7d0

SHA256
854da222e539ad27aababc194bcc72402870cbf0713b111f2b7c097480b4188c

SHA512
5b444e63909a5ac76ba06347f7946ed60ef7533ca5c6f71a9c9782784a689351d1bb517679e4209c92d944d43ccf073882c5af889c7faefcdd510bc35587f48a

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
128KB

MD5
f1654cf499f697f6088d480088c65506

SHA1
90636c555f1dc27053eb776e455fd21e1a507afb

SHA256
dc5baa1e9fa6ff90e17bfca72c4ce7265309d3e95171a4ed70b2504fdcb774da

SHA512
c420e2154d518f172bd97ebc50c20256ad64bd8dc710a34d459fdf5d6bb1ec81925b1bab57db81447872b49981b06b137ccf3f8d2427e73f18700eb03a9f45d3

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
128KB

MD5
4d7bdbad712ce4deb79e9623bfb587cd

SHA1
947e8cfd398a8c54d186f725a4f67329c2ce11e5

SHA256
975201e34cd674ad025b89cf317c99622a12cd04d7965d626189a69b76230060

SHA512
edfc2e53bfb79b62e3861b8ab8da04db1462f1df479cc6f71e9c1382ce64fac85fc466093f6a22b758f078224c6a7edf90bc4e30a7cde1454b9e55db91116538

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
128KB

MD5
2c8a7c32f6ba0ce6b8880f91a054f83e

SHA1
2681f2afe7229388f82cc24469de18e1aac059e0

SHA256
f48a2dbd2cc0785b8156e49f97e467c5b039351d3036633be1232dbbfdcc3f93

SHA512
fe19e86cc2a7e5e70a31637cbb8c807b3b82658c8997470b72a2e782ca0e6e200cd2c6fd71f0b37483ea2e4591d905c5a21604afabf9cff7be83f30ca061db8a

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
128KB

MD5
11d324742ebb5829a6bd02e3956f1da5

SHA1
e2819d2c654b8cdc30897a2bd5754d0960a5d7cf

SHA256
849354237846a27fb5d7729b91ab0cd0cb9685b58bfbd386d6b414eacb9d3d3b

SHA512
a151ee296c05ec5e45f26558faf9e9fb3be7c20f0b2d5cf053d567998b5e86d1c9671deb1b392399da62e69e0042d86ef71ad752df1b854ad53d2b04c4cbf051

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
128KB

MD5
021473dfb26f7e4e7484f82f44df435f

SHA1
0d7ff59407fc5276bf0373539c866942f229c1a5

SHA256
02f00c71ea59d8ec5aa5d4d7115d8f2d5b75f71b954837c1618bc55222fbc871

SHA512
ca46833300b234ec1e87d357ad4be0f57f796d9c867fc15adf37e8ca49593ce04c8e5793335a1a2402f8c086779aa40e51973c82de24f103f5237ed359a47e68

Download Submit
C:\Windows\SysWOW64\Lifcnk32.dll

Filesize
7KB

MD5
ec7294059820a1a65a70ffd1941e12cf

SHA1
1eb6f74875b2f3bb80e5d1fdd5290a08f8a79817

SHA256
e454287187798582da0f5b0f8f50d3d39a405b8b494312561d8b9e0b4f853562

SHA512
6e4dcb9a7c6b48d3ec07f6790a650d94d6799b4c7713c1d4b013d6c6b151a8fb3b5059b73599d6b6b3e7f7fd308ef75973b173831865257798c69a96ff967105

Download Submit
C:\Windows\SysWOW64\Llpchaqg.exe

Filesize
128KB

MD5
270a5782fdd3415e76441789d178af3c

SHA1
236875b62ec4837502ababbff9e797cfac483f12

SHA256
57ecdd538f61d1cf16db98f97a053c615909498617d448c7dc4a05bf0a5dbbb2

SHA512
c56cf01213afa6911da199f053f9a170eb264cb07292e384221fc55c3d94701cbcb030dcf73132387d4e003c54991ca646a71ebcb31e6cfc35cf56e96df78ee1

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
128KB

MD5
2216bff6c4009b7deadb8c6ec94d40e6

SHA1
7dac53a6e439d267fa0ee867554ce329a174d62a

SHA256
b4a3078d6e3d9b7050b0855f0fbeef520c1dffa01796e5f5ad5f371d1f795ec0

SHA512
f1b9d9b40dc071954531beb3d77f2c319256c404d893551801517ff5a6bc820fccbff06fca66967aa936cf2a6aa15b91653abca17530bf5fd6487fda53b90935

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
64KB

MD5
e9848f03b819706cad42ed7885cc488a

SHA1
fdb38d60859154fe8a7e1915f34e1a872b48b413

SHA256
ada10023b601510478569043f0527b3dfc6d5fcd404d4bf8fb0f94c80e890294

SHA512
dccaec52a9e2d1470af7961a3601c4e736ada4669e20e8d71259be4211a5d63020eb65d90e27ab69732466cf9a84a4467b0da566a50ffa74bbc8e95003aa5648

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
128KB

MD5
77f06dac9b247a214243352ada7cfd49

SHA1
75b0de835d161e41e8bff3d59193f22ac11ec3e2

SHA256
608d122f5c199900e26ef0fc16bc5f7516bb0849dd125d8c173d79e5a19a2864

SHA512
bbfa7555825fc356049c45ea0c046de6bf89321874b4fa1fa4d6a3da0e45ee62f89a1eeb65e555bd4cbb0c307520fda6af511b704b9dfd956974d27c70a08e8e

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
128KB

MD5
5d6f9a85734a08ecd5f74b998043dbc3

SHA1
e5cec7310ae798ceb1554e9edceb594725825d23

SHA256
100f06d123e3990963cdb5bbe1db3d41a06ce816af9a25e85be70ebdac6eeddf

SHA512
7f011694beb8b0aa4eef0c19f67404efa72792c839b9be256af56eb06703c4467f644daaa5c9c2ebf54dd0b3ce909c53d7272fab2cabb956a43e21f0a621dbe3

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
128KB

MD5
e730dbc0881bf49e67f1b92a62862340

SHA1
ba1f8eba55f2e53965a40eb69bc4335be4425738

SHA256
569a60e1ab5b07ee521551ce08a8857d49adf3ae65b82c674e41d23366228166

SHA512
9549f5f692c441c2134eb4b1e1656bcfd2c8105d5573a1a434deb44bfc98e11d404e805ea0b519c5797168eea150f7348950e7524254e4c70a211068196f1558

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
128KB

MD5
91fb87233ae4dff768ed748bf72ba63c

SHA1
a4a9d07c46bd6298ce94a6bc812511631f048955

SHA256
50a7ecde6f05f34e5830e68001f804abc2680917711e0600f5be9a4112ccb134

SHA512
5d1618b674e53e028230cc0fb0243af14424a31a38353335f17a40aff340ccfdc2a25eb1b181f83ac2f47940abb3ef53887d152936035971ec7cb154a372b00a

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
128KB

MD5
687d9626698b6769d152878685a2889c

SHA1
b5afc7e1165295fc49b5f0134aad89675498ecc5

SHA256
2716293a1d67325ee9e4be394afc9336a1c420955cda3b4beba0c18f95c70588

SHA512
6c8f0d395215c575edab0e17fa1cd7ebf3d38fca59c7b483994d7f0306e8010b2980d884017513ba6aaf337db1ea0895bac2ce5f4a5b04837f9f0fb2cae02925

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
128KB

MD5
b1cf5dec5febbe52d49f6b6cf9bb1af8

SHA1
faeb1223a030094d229acc884a91675848aef531

SHA256
fc311ec6a911adb36a71e4a65cdf1d3806129d0cebda8f57dd3ee4967af16eef

SHA512
5fbf8f4a1d546c918558bfdc470d4dc470bc6c448efe4af642efe149534bdab67ef4525f8fea874a3e5acb7f9cff9f994239a52f888e314ca973776445fb7fe6

Download Submit
memory/408-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5136-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5220-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5340-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5372-1280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5460-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5584-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5632-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5676-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5720-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5808-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6364-1231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6524-1228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6852-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6956-1245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7048-1242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads