fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
Size

73KB
MD5

8fbd18a96ec881781f0e33e71a3845e0
SHA1

68f596b39e129a0bb06ba77ecdfa75463c8a7d69
SHA256

fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8
SHA512

6d4f99051d088a1719a93f9d967ecb6b01426543a5d94f3db60037e7057e0caf8761058a7be5b3ba8e807a01e5b710eeb8144242811b28b122ba192d74d04a6e
SSDEEP

1536:5jWSAp2o+oynHpLXuOUFCJjCYYYYYYYqA9Ugi5YMkhohQ:5yj25JrUFCOA9UgOUt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdjpfgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meljbqna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okbapi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coladm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijiaabk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jajocl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onldqejb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qekbgbpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhbmip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacibm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oehicoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngekdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oehicoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablbjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkimpfmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nobndj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahngomkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmaijdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbldk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfglfdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maoalb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omhkcnfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onldqejb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjkfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jacibm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omhkcnfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgcio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdpnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baclaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cceapl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njeelc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clkicbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkimpfmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdgpfnf.exe

Executes dropped EXE 64 IoCs

pid	Process
2764	Jacibm32.exe
2828	Jkimpfmg.exe
2744	Jgpndg32.exe
2624	Jjnjqb32.exe
1680	Jajocl32.exe
2548	Kgdgpfnf.exe
2536	Kmclmm32.exe
1692	Kngekdnf.exe
1012	Khojcj32.exe
1084	Lolofd32.exe
2668	Lhdcojaa.exe
524	Lkelpd32.exe
2388	Ldmaijdc.exe
2284	Lijiaabk.exe
1948	Lbbnjgik.exe
1944	Lcdjpfgh.exe
316	Mhdpnm32.exe
1932	Mlahdkjc.exe
2180	Maoalb32.exe
1488	Meljbqna.exe
1876	Moenkf32.exe
1800	Njnokdaq.exe
860	Nknkeg32.exe
2472	Ndfpnl32.exe
2652	Nfglfdeb.exe
2756	Njeelc32.exe
2780	Nobndj32.exe
2216	Oodjjign.exe
2672	Omhkcnfg.exe
2644	Ogbldk32.exe
2612	Onldqejb.exe
1292	Oehicoom.exe
1760	Okbapi32.exe
2260	Omcngamh.exe
2060	Pjjkfe32.exe
2800	Plndcmmj.exe
1092	Pcdldknm.exe
520	Piadma32.exe
2188	Pidaba32.exe
2484	Qnqjkh32.exe
2344	Qekbgbpf.exe
1268	Qjgjpi32.exe
1496	Anecfgdc.exe
544	Ahngomkd.exe
1656	Apnfno32.exe
3000	Ablbjj32.exe
2424	Aifjgdkj.exe
824	Appbcn32.exe
2984	Bemkle32.exe
2868	Blgcio32.exe
2772	Baclaf32.exe
2528	Blipno32.exe
2660	Bafhff32.exe
2692	Blkmdodf.exe
2584	Bceeqi32.exe
2056	Bhbmip32.exe
2156	Blniinac.exe
572	Bnofaf32.exe
2988	Bggjjlnb.exe
2160	Cnabffeo.exe
376	Cppobaeb.exe
2124	Ckecpjdh.exe
2192	Caokmd32.exe
1628	Ccqhdmbc.exe

Loads dropped DLL 64 IoCs

pid	Process
1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
2764	Jacibm32.exe
2764	Jacibm32.exe
2828	Jkimpfmg.exe
2828	Jkimpfmg.exe
2744	Jgpndg32.exe
2744	Jgpndg32.exe
2624	Jjnjqb32.exe
2624	Jjnjqb32.exe
1680	Jajocl32.exe
1680	Jajocl32.exe
2548	Kgdgpfnf.exe
2548	Kgdgpfnf.exe
2536	Kmclmm32.exe
2536	Kmclmm32.exe
1692	Kngekdnf.exe
1692	Kngekdnf.exe
1012	Khojcj32.exe
1012	Khojcj32.exe
1084	Lolofd32.exe
1084	Lolofd32.exe
2668	Lhdcojaa.exe
2668	Lhdcojaa.exe
524	Lkelpd32.exe
524	Lkelpd32.exe
2388	Ldmaijdc.exe
2388	Ldmaijdc.exe
2284	Lijiaabk.exe
2284	Lijiaabk.exe
1948	Lbbnjgik.exe
1948	Lbbnjgik.exe
1944	Lcdjpfgh.exe
1944	Lcdjpfgh.exe
316	Mhdpnm32.exe
316	Mhdpnm32.exe
1932	Mlahdkjc.exe
1932	Mlahdkjc.exe
2180	Maoalb32.exe
2180	Maoalb32.exe
1488	Meljbqna.exe
1488	Meljbqna.exe
1876	Moenkf32.exe
1876	Moenkf32.exe
1800	Njnokdaq.exe
1800	Njnokdaq.exe
860	Nknkeg32.exe
860	Nknkeg32.exe
2472	Ndfpnl32.exe
2472	Ndfpnl32.exe
2652	Nfglfdeb.exe
2652	Nfglfdeb.exe
2756	Njeelc32.exe
2756	Njeelc32.exe
2780	Nobndj32.exe
2780	Nobndj32.exe
2216	Oodjjign.exe
2216	Oodjjign.exe
2672	Omhkcnfg.exe
2672	Omhkcnfg.exe
2644	Ogbldk32.exe
2644	Ogbldk32.exe
2612	Onldqejb.exe
2612	Onldqejb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bnlpkh32.dll	Jgpndg32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjkfe32.exe	Omcngamh.exe
File created	C:\Windows\SysWOW64\Egpena32.exe	Efoifiep.exe
File created	C:\Windows\SysWOW64\Dnjalhpp.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Appbcn32.exe	Aifjgdkj.exe
File created	C:\Windows\SysWOW64\Dnfhqi32.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Ddbmcb32.exe	Dnhefh32.exe
File opened for modification	C:\Windows\SysWOW64\Epqgopbi.exe	Ejcofica.exe
File created	C:\Windows\SysWOW64\Nhocol32.dll	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
File created	C:\Windows\SysWOW64\Jdbnpf32.dll	Nobndj32.exe
File created	C:\Windows\SysWOW64\Nliqma32.dll	Clkicbfa.exe
File created	C:\Windows\SysWOW64\Epqgopbi.exe	Ejcofica.exe
File created	C:\Windows\SysWOW64\Fakmpf32.dll	Emgdmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdgpfnf.exe	Jajocl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmclmm32.exe	Kgdgpfnf.exe
File created	C:\Windows\SysWOW64\Lijiaabk.exe	Ldmaijdc.exe
File created	C:\Windows\SysWOW64\Goigjpaa.dll	Piadma32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Aggpokfi.dll	Kmclmm32.exe
File created	C:\Windows\SysWOW64\Ldmaijdc.exe	Lkelpd32.exe
File created	C:\Windows\SysWOW64\Fmaobq32.dll	Lkelpd32.exe
File opened for modification	C:\Windows\SysWOW64\Njnokdaq.exe	Moenkf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnabffeo.exe	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Iiobie32.dll	Jacibm32.exe
File opened for modification	C:\Windows\SysWOW64\Mhdpnm32.exe	Lcdjpfgh.exe
File created	C:\Windows\SysWOW64\Qekbgbpf.exe	Qnqjkh32.exe
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Caokmd32.exe
File created	C:\Windows\SysWOW64\Lcdjpfgh.exe	Lbbnjgik.exe
File created	C:\Windows\SysWOW64\Agflga32.dll	Pjjkfe32.exe
File created	C:\Windows\SysWOW64\Njohaaaf.dll	Appbcn32.exe
File created	C:\Windows\SysWOW64\Mmmlmc32.dll	Blniinac.exe
File created	C:\Windows\SysWOW64\Fdjcfm32.dll	Onldqejb.exe
File created	C:\Windows\SysWOW64\Caokmd32.exe	Ckecpjdh.exe
File opened for modification	C:\Windows\SysWOW64\Cdpdnpif.exe	Cjjpag32.exe
File created	C:\Windows\SysWOW64\Fogiamne.dll	Lhdcojaa.exe
File created	C:\Windows\SysWOW64\Ndfpnl32.exe	Nknkeg32.exe
File created	C:\Windows\SysWOW64\Jegaol32.dll	Anecfgdc.exe
File created	C:\Windows\SysWOW64\Bgjond32.dll	Dnhefh32.exe
File opened for modification	C:\Windows\SysWOW64\Bafhff32.exe	Blipno32.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Epqgopbi.exe
File created	C:\Windows\SysWOW64\Oehicoom.exe	Onldqejb.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dnjalhpp.exe
File opened for modification	C:\Windows\SysWOW64\Maoalb32.exe	Mlahdkjc.exe
File opened for modification	C:\Windows\SysWOW64\Blipno32.exe	Baclaf32.exe
File created	C:\Windows\SysWOW64\Mgaajh32.dll	Bafhff32.exe
File opened for modification	C:\Windows\SysWOW64\Bhbmip32.exe	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Noggch32.dll	Mlahdkjc.exe
File created	C:\Windows\SysWOW64\Aankboko.dll	Cjjpag32.exe
File opened for modification	C:\Windows\SysWOW64\Dnfhqi32.exe	Ddmchcnd.exe
File created	C:\Windows\SysWOW64\Aifjgdkj.exe	Ablbjj32.exe
File created	C:\Windows\SysWOW64\Klqddq32.dll	Bnofaf32.exe
File created	C:\Windows\SysWOW64\Bemkle32.exe	Appbcn32.exe
File created	C:\Windows\SysWOW64\Dangeigl.dll	Cnabffeo.exe
File created	C:\Windows\SysWOW64\Jacibm32.exe	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
File opened for modification	C:\Windows\SysWOW64\Jgpndg32.exe	Jkimpfmg.exe
File created	C:\Windows\SysWOW64\Ompjookk.dll	Meljbqna.exe
File opened for modification	C:\Windows\SysWOW64\Nobndj32.exe	Njeelc32.exe
File created	C:\Windows\SysWOW64\Onldqejb.exe	Ogbldk32.exe
File created	C:\Windows\SysWOW64\Jenndm32.dll	Okbapi32.exe
File created	C:\Windows\SysWOW64\Mghomh32.dll	Khojcj32.exe
File created	C:\Windows\SysWOW64\Qjgjpi32.exe	Qekbgbpf.exe
File created	C:\Windows\SysWOW64\Igooceih.dll	Qekbgbpf.exe
File created	C:\Windows\SysWOW64\Anecfgdc.exe	Qjgjpi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	2108	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdldknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aifjgdkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcmlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khojcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onldqejb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoalb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjgjpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbmip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blniinac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolofd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdcojaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknkeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oodjjign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omhkcnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blipno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngekdnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnokdaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemkle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnfhqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcngamh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baclaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apnfno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moenkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okbapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plndcmmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qekbgbpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgcio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jajocl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meljbqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlahdkjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablbjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkimpfmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmclmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdpnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfglfdeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anecfgdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnofaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdgpfnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njeelc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbbnjgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfpnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nknkeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plndcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apnfno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgpndg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdjpfgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baclaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdgpfnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blniinac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpdnpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgcio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkimpfmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphjan32.dll"	Lijiaabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcbim32.dll"	Qnqjkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoalb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qekbgbpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agflga32.dll"	Pjjkfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifijkq32.dll"	Oodjjign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll"	Ahngomkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baclaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdjpfgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maoalb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahngomkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacil32.dll"	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghomh32.dll"	Khojcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijiaabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghibjjfb.dll"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcngamh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll"	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll"	Meljbqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll"	Bemkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alakfjbc.dll"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhdpnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlahdkjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meljbqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkelpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll"	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jacibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfcmlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcmlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmcad32.dll"	Lbbnjgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfglfdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeilp32.dll"	Kngekdnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piadma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgpndg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2764	1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe	30
PID 1056 wrote to memory of 2764	1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe	30
PID 1056 wrote to memory of 2764	1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe	30
PID 1056 wrote to memory of 2764	1056	fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe	30
PID 2764 wrote to memory of 2828	2764	Jacibm32.exe	31
PID 2764 wrote to memory of 2828	2764	Jacibm32.exe	31
PID 2764 wrote to memory of 2828	2764	Jacibm32.exe	31
PID 2764 wrote to memory of 2828	2764	Jacibm32.exe	31
PID 2828 wrote to memory of 2744	2828	Jkimpfmg.exe	32
PID 2828 wrote to memory of 2744	2828	Jkimpfmg.exe	32
PID 2828 wrote to memory of 2744	2828	Jkimpfmg.exe	32
PID 2828 wrote to memory of 2744	2828	Jkimpfmg.exe	32
PID 2744 wrote to memory of 2624	2744	Jgpndg32.exe	33
PID 2744 wrote to memory of 2624	2744	Jgpndg32.exe	33
PID 2744 wrote to memory of 2624	2744	Jgpndg32.exe	33
PID 2744 wrote to memory of 2624	2744	Jgpndg32.exe	33
PID 2624 wrote to memory of 1680	2624	Jjnjqb32.exe	34
PID 2624 wrote to memory of 1680	2624	Jjnjqb32.exe	34
PID 2624 wrote to memory of 1680	2624	Jjnjqb32.exe	34
PID 2624 wrote to memory of 1680	2624	Jjnjqb32.exe	34
PID 1680 wrote to memory of 2548	1680	Jajocl32.exe	35
PID 1680 wrote to memory of 2548	1680	Jajocl32.exe	35
PID 1680 wrote to memory of 2548	1680	Jajocl32.exe	35
PID 1680 wrote to memory of 2548	1680	Jajocl32.exe	35
PID 2548 wrote to memory of 2536	2548	Kgdgpfnf.exe	36
PID 2548 wrote to memory of 2536	2548	Kgdgpfnf.exe	36
PID 2548 wrote to memory of 2536	2548	Kgdgpfnf.exe	36
PID 2548 wrote to memory of 2536	2548	Kgdgpfnf.exe	36
PID 2536 wrote to memory of 1692	2536	Kmclmm32.exe	37
PID 2536 wrote to memory of 1692	2536	Kmclmm32.exe	37
PID 2536 wrote to memory of 1692	2536	Kmclmm32.exe	37
PID 2536 wrote to memory of 1692	2536	Kmclmm32.exe	37
PID 1692 wrote to memory of 1012	1692	Kngekdnf.exe	38
PID 1692 wrote to memory of 1012	1692	Kngekdnf.exe	38
PID 1692 wrote to memory of 1012	1692	Kngekdnf.exe	38
PID 1692 wrote to memory of 1012	1692	Kngekdnf.exe	38
PID 1012 wrote to memory of 1084	1012	Khojcj32.exe	39
PID 1012 wrote to memory of 1084	1012	Khojcj32.exe	39
PID 1012 wrote to memory of 1084	1012	Khojcj32.exe	39
PID 1012 wrote to memory of 1084	1012	Khojcj32.exe	39
PID 1084 wrote to memory of 2668	1084	Lolofd32.exe	40
PID 1084 wrote to memory of 2668	1084	Lolofd32.exe	40
PID 1084 wrote to memory of 2668	1084	Lolofd32.exe	40
PID 1084 wrote to memory of 2668	1084	Lolofd32.exe	40
PID 2668 wrote to memory of 524	2668	Lhdcojaa.exe	41
PID 2668 wrote to memory of 524	2668	Lhdcojaa.exe	41
PID 2668 wrote to memory of 524	2668	Lhdcojaa.exe	41
PID 2668 wrote to memory of 524	2668	Lhdcojaa.exe	41
PID 524 wrote to memory of 2388	524	Lkelpd32.exe	42
PID 524 wrote to memory of 2388	524	Lkelpd32.exe	42
PID 524 wrote to memory of 2388	524	Lkelpd32.exe	42
PID 524 wrote to memory of 2388	524	Lkelpd32.exe	42
PID 2388 wrote to memory of 2284	2388	Ldmaijdc.exe	43
PID 2388 wrote to memory of 2284	2388	Ldmaijdc.exe	43
PID 2388 wrote to memory of 2284	2388	Ldmaijdc.exe	43
PID 2388 wrote to memory of 2284	2388	Ldmaijdc.exe	43
PID 2284 wrote to memory of 1948	2284	Lijiaabk.exe	44
PID 2284 wrote to memory of 1948	2284	Lijiaabk.exe	44
PID 2284 wrote to memory of 1948	2284	Lijiaabk.exe	44
PID 2284 wrote to memory of 1948	2284	Lijiaabk.exe	44
PID 1948 wrote to memory of 1944	1948	Lbbnjgik.exe	45
PID 1948 wrote to memory of 1944	1948	Lbbnjgik.exe	45
PID 1948 wrote to memory of 1944	1948	Lbbnjgik.exe	45
PID 1948 wrote to memory of 1944	1948	Lbbnjgik.exe	45

C:\Users\Admin\AppData\Local\Temp\fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe
"C:\Users\Admin\AppData\Local\Temp\fe02d8bd031828aa9a5a241b2e82bef8430eca143390de2df47700d2422475a8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\Jacibm32.exe
  C:\Windows\system32\Jacibm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Jkimpfmg.exe
    C:\Windows\system32\Jkimpfmg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Jgpndg32.exe
      C:\Windows\system32\Jgpndg32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Jjnjqb32.exe
        
        C:\Windows\system32\Jjnjqb32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Jajocl32.exe
        
        C:\Windows\system32\Jajocl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kgdgpfnf.exe
        
        C:\Windows\system32\Kgdgpfnf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Kmclmm32.exe
        
        C:\Windows\system32\Kmclmm32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Kngekdnf.exe
        
        C:\Windows\system32\Kngekdnf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Khojcj32.exe
        
        C:\Windows\system32\Khojcj32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Lolofd32.exe
        
        C:\Windows\system32\Lolofd32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lhdcojaa.exe
        
        C:\Windows\system32\Lhdcojaa.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Lkelpd32.exe
        
        C:\Windows\system32\Lkelpd32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Ldmaijdc.exe
        
        C:\Windows\system32\Ldmaijdc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lijiaabk.exe
        
        C:\Windows\system32\Lijiaabk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Lbbnjgik.exe
        
        C:\Windows\system32\Lbbnjgik.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Lcdjpfgh.exe
        
        C:\Windows\system32\Lcdjpfgh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Mhdpnm32.exe
        
        C:\Windows\system32\Mhdpnm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Mlahdkjc.exe
        
        C:\Windows\system32\Mlahdkjc.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Maoalb32.exe
        
        C:\Windows\system32\Maoalb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Meljbqna.exe
        
        C:\Windows\system32\Meljbqna.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Moenkf32.exe
        
        C:\Windows\system32\Moenkf32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Njnokdaq.exe
        
        C:\Windows\system32\Njnokdaq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Nknkeg32.exe
        
        C:\Windows\system32\Nknkeg32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Ndfpnl32.exe
        
        C:\Windows\system32\Ndfpnl32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Nfglfdeb.exe
        
        C:\Windows\system32\Nfglfdeb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Njeelc32.exe
        
        C:\Windows\system32\Njeelc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Nobndj32.exe
        
        C:\Windows\system32\Nobndj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Oodjjign.exe
        
        C:\Windows\system32\Oodjjign.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Omhkcnfg.exe
        
        C:\Windows\system32\Omhkcnfg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Ogbldk32.exe
        
        C:\Windows\system32\Ogbldk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Onldqejb.exe
        
        C:\Windows\system32\Onldqejb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Oehicoom.exe
        
        C:\Windows\system32\Oehicoom.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Okbapi32.exe
        
        C:\Windows\system32\Okbapi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Omcngamh.exe
        
        C:\Windows\system32\Omcngamh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pjjkfe32.exe
        
        C:\Windows\system32\Pjjkfe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Plndcmmj.exe
        
        C:\Windows\system32\Plndcmmj.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Pcdldknm.exe
        
        C:\Windows\system32\Pcdldknm.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Piadma32.exe
        
        C:\Windows\system32\Piadma32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\Pidaba32.exe
        
        C:\Windows\system32\Pidaba32.exe
        40⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Qnqjkh32.exe
        
        C:\Windows\system32\Qnqjkh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Qekbgbpf.exe
        
        C:\Windows\system32\Qekbgbpf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Qjgjpi32.exe
        
        C:\Windows\system32\Qjgjpi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Anecfgdc.exe
        
        C:\Windows\system32\Anecfgdc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Ahngomkd.exe
        
        C:\Windows\system32\Ahngomkd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Apnfno32.exe
        
        C:\Windows\system32\Apnfno32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Ablbjj32.exe
        
        C:\Windows\system32\Ablbjj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Aifjgdkj.exe
        
        C:\Windows\system32\Aifjgdkj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Appbcn32.exe
        
        C:\Windows\system32\Appbcn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Bemkle32.exe
        
        C:\Windows\system32\Bemkle32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Blgcio32.exe
        
        C:\Windows\system32\Blgcio32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Baclaf32.exe
        
        C:\Windows\system32\Baclaf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Blipno32.exe
        
        C:\Windows\system32\Blipno32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Bafhff32.exe
        
        C:\Windows\system32\Bafhff32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bhbmip32.exe
        
        C:\Windows\system32\Bhbmip32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Blniinac.exe
        
        C:\Windows\system32\Blniinac.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cnabffeo.exe
        
        C:\Windows\system32\Cnabffeo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Cppobaeb.exe
        
        C:\Windows\system32\Cppobaeb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        66⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Cdpdnpif.exe
        
        C:\Windows\system32\Cdpdnpif.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1156
        
        C:\Windows\SysWOW64\Cfcmlg32.exe
        
        C:\Windows\system32\Cfcmlg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1864
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Dnfhqi32.exe
        
        C:\Windows\system32\Dnfhqi32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:732
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        86⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 140
        94⤵
        Program crash
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablbjj32.exe

Filesize
73KB

MD5
5d52806a6ae3aedabfc2a070745f9f8a

SHA1
7827dcb0f6dc76afde1160a40a02103595e64b22

SHA256
32de61982551be9dda5cb35229752f7753caa4de8d75caa09c9ba01ff3654c0b

SHA512
65be90f3a6547558ed342599a57beeeb0cfd2f16b7076994aa7f8dcf1fe6006a43fe5308f898d8126e69c3e45a32461e7a8ac98a92bd7db30f5efb30f074edcc

Download Submit
C:\Windows\SysWOW64\Ahngomkd.exe

Filesize
73KB

MD5
1c25bce5b9d0ab6df35c9c58093e23d2

SHA1
03fd90670e177ad4ed9b1af5a230b345a44c261c

SHA256
bf8cf8550b74ebd7f87d3474c9fecd08bdfa997aa6e4f5b226e4a5c6668e25a9

SHA512
532016011223b901208c19cb63d89407b86c6883ea549db6b755aa16c9c5eaa26302320223c9586e44767c52ffe3feffbe5c42279351ca72af647ff6d06b522b

Download Submit
C:\Windows\SysWOW64\Aifjgdkj.exe

Filesize
73KB

MD5
2f8891552f97da0eb4ecad2dbb2a2267

SHA1
66a30ac301351bcaa4a871b50bd2713183398976

SHA256
a69c1aa321b782a93c76c31f4680a6bcd76fcef4f3b71e57153db27f1d5b1582

SHA512
51fba8acc5e76bf1361743d3ea7d997bd41fb5ecef486a95de6f436b4a399ad1eeff7a10a2aceea8b97a925c3215000693d0ff4345129381d3a11249adaec4b7

Download Submit
C:\Windows\SysWOW64\Anecfgdc.exe

Filesize
73KB

MD5
76e763456f3ab669103fbabd2783a606

SHA1
214e3af1791bc3765ad756c55df56a62652966c4

SHA256
dd47bd46f06dc65f26729ea250504de6103f0cd62f3f7d6056888153fa24f98e

SHA512
9012e60fd8e63538806ea001b8517142fa6162ecd4dfca61ab9ddc9932786f9c91b3a9875247344247ec104d0985d483dc2f636ed6bf1e992e2cef2fe7b0b4f8

Download Submit
C:\Windows\SysWOW64\Apnfno32.exe

Filesize
73KB

MD5
cfb866d4f51d9fa4fdac167cf0527ebc

SHA1
726aec13acc70c9c533eb0a429e27ec9a1d269ab

SHA256
e147d0c37e8be6ba8d2e553492cd86948e795c4a0b5bef505e47dedb4ae12688

SHA512
581d91d4f353978de882a108f68ff73a79babda3732388fb5ce8d68877ccf0ca7208ec6a09dd9033fdd9c4af18617c3d015a967baebf0af839ffff3613727ecd

Download Submit
C:\Windows\SysWOW64\Appbcn32.exe

Filesize
73KB

MD5
9784c40b38c9a71148a8ce0a5c5ceaf0

SHA1
4d9d7e82bae0641c4625eaff46ce2d588cac9110

SHA256
1d9ead3c6f6933433ff7159849368cb72f5544bef259612b074ba71ae6e6fa14

SHA512
cdc7a36fe916604a1253ea3064bb60d5b74d05d0e97aa8c3a71c120989efd933da985a3fe51dd6792cfb063b2cd86892b1cdd9707f8e66b91c95daa27ae635ba

Download Submit
C:\Windows\SysWOW64\Baclaf32.exe

Filesize
73KB

MD5
7b09de8854407fe16d1ccb388b632ef9

SHA1
c9f94eec5b742f9956d6f06e7bc8c576319b7e0a

SHA256
17b27ec9dced523c412fd0d255de6f82ede6369112ea63fb4321d8a5dc7af851

SHA512
de82f991542391b405ad9ff519b6d3853477e971f2ac93b7256c98fa870333e0bd48c1946863d5d6b76cf88e844a365171bbd08e7dbb24db4191d8c8499aa84d

Download Submit
C:\Windows\SysWOW64\Bafhff32.exe

Filesize
73KB

MD5
966bd829c9912ad94b76151fd55b3fb9

SHA1
36e952fffb87e6fcca019f01ade7923077a49e13

SHA256
0426bbf45f417576b77ff67437ac90d76cce98a99af47e9a87e478bd686b7ba4

SHA512
1e8959da2ff32d800f63bee8b5c2cb49395ed7fc578df85c8cbe37156c3fb1e2be2f77ccdab7f7d07e16cd4b867144cbbf2c2c65d32569d01797c36c10284b26

Download Submit
C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
73KB

MD5
23ce9e45ad74ad77b03f4d8bb8f3b87d

SHA1
64a84db3bbcc7ab87aaf2e2cec7892272671f3b6

SHA256
349f3777c155c75c41a920993bcdfb83aef85a2de2909efd349005fdc2bdf235

SHA512
b637c2e154421338eda81875d8119f5e10fdfa69d7b827296ef1a9e821880f89052495b853e36d695d27de046b08bc609315366f1904117238e020697a36b6f4

Download Submit
C:\Windows\SysWOW64\Bemkle32.exe

Filesize
73KB

MD5
d06fb0da288b97f5e0928a00f581fd7a

SHA1
dff6cf2e6ad791591bd7c68de28c06505b35a87b

SHA256
14262c61bf2fcea7027fa8c8e563c2c083bd7d512038a5e468919ee11956a921

SHA512
c899b8928b7268cddd3bad51bc5d7d082fbabbe39a66ac18ede877d4cb4088cd9a49092de5319263ee875330df8d448305678b81072d0f5fa4f3582595b44b38

Download Submit
C:\Windows\SysWOW64\Bggjjlnb.exe

Filesize
73KB

MD5
7dc98a5009217c629b6df5e9e8add58e

SHA1
a19c4147f0694f4d4ce6919e5d46abea2dffb680

SHA256
a86e49d85473a8ca56b5369963116eea886923fe022f37ef0f7f35b50a92452e

SHA512
78ddbb7fd5bac83b8450f4cc25332b4e5c556d34b1db31aa5b8dffc94bdad70d2550ee8563f93b6096abf46b1e9db574841d5e785c92f42795a973b79ccc4c82

Download Submit
C:\Windows\SysWOW64\Bhbmip32.exe

Filesize
73KB

MD5
92b099f4499e193cc88e7871f44b166a

SHA1
fca0b4ceecd4aedb734bf4c3b6d31c72426e0509

SHA256
c5420cf694c7bc649940d80e863cdf4c256d8fc8196c9f3b4f3f3121ee88d572

SHA512
40d4f9e270020c0ced46d5f11a3ad891fd35b852aab75dc5a9abdd6f04243852ac74c99b942a76466e9cbab6f30f2678cdc98eaaf5330d7f1c3ba2ca1207dcf9

Download Submit
C:\Windows\SysWOW64\Blgcio32.exe

Filesize
73KB

MD5
094d2c946beed383c0bdf9bc19476f75

SHA1
37577b387e2bbdd761d3ffcf3557a16ec922f549

SHA256
743074fe1f647212c3dff1916903eeca611487beb7466b705588ae1a0523781f

SHA512
d054f7991047f83825fa3e9b1081ac1086b86009a879a1c554a9b5e21c1ffc2b50027affdf3ca1df84e68d4954001630d40ff2e9447c3e2d3a026016c4f7654c

Download Submit
C:\Windows\SysWOW64\Blipno32.exe

Filesize
73KB

MD5
5b614085dd649efd862025456ddcfaa1

SHA1
0266cf618cbd969456b156bd0102e2550972127b

SHA256
aba1a7f9002d65930cbfcfeb4a95c93ac1da2fa309c26b425ef03bd45c3f1789

SHA512
896912bbb00dd49292c675231065668787a3a8ab42b03be8bb7e3f0c0e6206b11b43bc96d3856da4714c5fad1d631c9f1eaf89048a3203d95980a96d11414ff1

Download Submit
C:\Windows\SysWOW64\Blkmdodf.exe

Filesize
73KB

MD5
efb1890ddcaa1f9a391f2af91a181781

SHA1
230597e4538750fda182c713b7796dc117e80247

SHA256
2203c6cd75071254e1b152b249134c360fb2e1656f3f10069b6656de30f0889d

SHA512
82c8b29d70f8a509403552bdf360fd16e7fce59da1e976ac76a7c993d2f11719e48d038d6150bf36765b8233faff99081b2d16647d89c12334514cbbdb2f7707

Download Submit
C:\Windows\SysWOW64\Blniinac.exe

Filesize
73KB

MD5
2200c7e9dc61aba9237d443605b00fa1

SHA1
e8b8eaa4f6f48eec94ec42eb5dcae98238ac5691

SHA256
df058979007b079e869c16776a03f71f426c8a84750a423c3162af4b75eb7c12

SHA512
b7f0eb3855c08ed0a4af63a6d31e76d8aae4e8cf94a7cfbb6d7f0c29d5aebcefc5ac50a1d4f62c51338bac8e4032bed770cb8a9bdfdd5e86cb6747abe4d053ea

Download Submit
C:\Windows\SysWOW64\Bnofaf32.exe

Filesize
73KB

MD5
15bcea3d40c20e2d0e4e4e45e6eebced

SHA1
d5ff2c52a9e9ea6e264a216913a0b745e4f7ce1b

SHA256
10c8bfacd0826775a2549d6e137bf07d2a42fa14c14a8e441a7ec1a0cc1e993a

SHA512
5f91da8767f1c343988f6a7903d504b0a7cb046c64a5bfdd3eaa57f25db56c5d92932c2d7506e4828db461b141be5fbadb4ac9e1308ce057a2b718d550bdd47c

Download Submit
C:\Windows\SysWOW64\Caokmd32.exe

Filesize
73KB

MD5
d3fc90a0dfa9f1883219b73db699b86e

SHA1
30da02f78bb3d490fb32f45512df992517d030e1

SHA256
d2564d134e84f144dd7b9bdc974f0b54b3dc9b72abc29b642694a412aa2897bb

SHA512
dd06cb90af3c7a67faaa8c048ac0d1b344c3a950b908bd98cfbddd4fa4b9c404be45dfdd4ecbd94bf97f399b99c330c8169650a8537de436253ae0f324a427b2

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
73KB

MD5
31d9111a1d3040726b3f6f3af0cea4f3

SHA1
3e543096358ad767312e55bcbb257d1bd3c5e5f1

SHA256
7566276f4527d0a99b84846f7facdc4046750b53aeeadd4e08df8b70742d0518

SHA512
ecdbcb25f2d2ed1a1e4e24ec12dd5c5d1838d7093dfce7badf2e1e7f81cdec52667eecab8ae0e78b6c5c12f70e933486c56c285fea709dc08c040c15169471ef

Download Submit
C:\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
73KB

MD5
0c6d5018c5fbba1fda61213aba4cae1f

SHA1
38d6ddc87a8c3bf212683f8cacb2088f5c186664

SHA256
8c988c0a4e1af84445a3a08febd3711838c3dcf988c45cb01573d25db9ff2cfb

SHA512
141eb7343376204afc1a6dd473f0894192736a43e61da5ad210e9c98ba3cce30281b35e7bf5bba678635b43352cc83d4b91d75292a869e17e425dda0affd69f5

Download Submit
C:\Windows\SysWOW64\Cdpdnpif.exe

Filesize
73KB

MD5
e90648f213a3833ece1f3233a6e0e09d

SHA1
e3feced6c33b9cf2774b6e930e808f9cc1f0fde6

SHA256
8008a847261cdbac4a9c379a0125606b86d23b8b8ed28a6012d7a38190de5073

SHA512
d9e707d1c064464b0f68401a6dc9a2be9f037426756e9ac56428402fc7363e4102a802b1fe4813ea19bc8997918217066d1185493e79ee42206a8718ef924256

Download Submit
C:\Windows\SysWOW64\Cfcmlg32.exe

Filesize
73KB

MD5
e7ac80413e2bc93114b8ab91a5b7f8bb

SHA1
22fefdaadad1831633c85750c28c4c506c906770

SHA256
be235090ac5f0197b90bd13f0783bfd90fdbd750cfd58cf9faad0705a7837558

SHA512
fd99bb2d2aed01d876d1521e32949da1d8a7af2f92573d183188fae1c121c2696e2163ef3f06072f60110d4e7c4b17dcda2cf3b9a5d248441840f707ff678fb4

Download Submit
C:\Windows\SysWOW64\Cjjpag32.exe

Filesize
73KB

MD5
319dabccc567b8b648098ef359519394

SHA1
7c00525ea763aefdd89eaeda4f4633916598048b

SHA256
672112f4659054af5e91dad74f658a04190f5a23fa988fce9564619a33151701

SHA512
8f3988ef09ff60d559dfbe487ac066aec20b539d3f13fcca38801f231a24f1ba557483b622de229c0686e34c9ede077e106d942dc9b7140f4f2e937579c3ad62

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
73KB

MD5
59fb995f373a2794ebb2a461b8f8cd15

SHA1
c1ed7434c76a9ca94d89c905362f3edd95b1360e

SHA256
13bbd6480fba12c80f6dc2bf617fa0a552811c066880c04cb881bdbbe54f5ac2

SHA512
2c62e3a54ab5282bdb1665148f5a664612f618c5a2b4c24b4e36527c4ae4fb7433f6c70f69141de9a82bca37c853bf58da38a6e59adb903b40e46285ef9989e7

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
73KB

MD5
8522ec1d6923da7bfbd17d9dbd4ca56e

SHA1
8a9e772b62fe1eaac58b2501b3522b0399a368fc

SHA256
247c17f97673882117887f2bc0745403674878c19a2ec0adc8a8e8ccdeb5f790

SHA512
47ac5c0adfd8cb822f557a8feac370773a8737b41503976b68c0bc0339b346afffb20bb8301ec1fe53e639407abe0038ae495fb65a9a478521d02529a558ba05

Download Submit
C:\Windows\SysWOW64\Cnabffeo.exe

Filesize
73KB

MD5
a7eb57e68148d8187512296a143200a2

SHA1
777b8914cac10fe3430975524665d10b3a08f40d

SHA256
a95697fbd49558bd0e32508b0776ab925e7c97e4323c9b82ee2c6d8de5e79f84

SHA512
5f812e5c5b1066ee5388f2fa32d49b14cd1848db22fbe3f3d5cda72f32d6ade3a32d0cc3be67dcb21be3d28421cefdfdf595197c78efc8ac1c50244c2a5ee59b

Download Submit
C:\Windows\SysWOW64\Coladm32.exe

Filesize
73KB

MD5
f925be560a563d559bea051f235085ba

SHA1
48d24aa8d578fc0f25a175323db50a67dcadaecd

SHA256
333ff87c39548ddba6742cfb916a644d6680ce979344c375ce42abf63cd909e7

SHA512
4866a1cd1624ed017bcd43be6aed0fd83803828cd6cd6ba4850af18e541d571bfc9ba7737f7389bf9c3a72e4f8c9736cb758704816041f3bfa7a3901e5bdf1c4

Download Submit
C:\Windows\SysWOW64\Cppobaeb.exe

Filesize
73KB

MD5
e84666ba96831ee71314f78e76d16d5a

SHA1
18af1472054f0943a977702cfb96e4b6af739d23

SHA256
16981f7baf1e51a1d38ca0f67780780fced934a97732059729e8add6c5b01bc9

SHA512
3b171f744eb8647af820960863a578ca47a6519d3f7290eb5872f346bce47ac222dd0e67058dc72a3dc6352bff74a4503ad1b678f23b2ac2ff37b2f4a6d9d80b

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
73KB

MD5
ca0422c05bdf603c70cb4f9884030e05

SHA1
55676163cc617f5f9f17c6823579f9814053d665

SHA256
0e26de6d3d36d21e05c4a3375ca6b162a31268c826904c3b1a4a53da3a4fd2ea

SHA512
d84022cc397dda1773d82178c5a67acdc97934050b03e6fab7dcc991e69c37352750a5413439c16b88b8e035e4b79459868e5f72c5ebfe1bb002e4a11562348b

Download Submit
C:\Windows\SysWOW64\Ddmchcnd.exe

Filesize
73KB

MD5
d3b699f22943133ceb598db91d821c1d

SHA1
4abea2b608f547244e5a46aa36b41c77becd8951

SHA256
935b0b2ffbb392cada623064b481397d3dd7c5a35eb1e72e9a0d1e9d9c9b4623

SHA512
87dd78dadb2f78137da294290c644ba39ee8bd41ff6f0b1a50b37f2850b50a5773a9f7e3ee13b65e26bbfc66504d707b3289e0371f825c050dd9d2d84f6c8a8f

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
73KB

MD5
07aed7541d68fc1d5dcf88d8ea40e848

SHA1
c56012bde6ad682ee1a99b14eed46c759aa2caad

SHA256
7c716ec677398f3a7a9d7e55852b31186c59c7efd3b6d3308e1fae8259cb064d

SHA512
d8d6b146e62ea28ec45afdf70126bdd22131871f76586d2fd9bcba12f72a7f2e83b3e2e43114ea31b326a5b510c5e7a2513818d03c8dc184244a37a6f06c0b1b

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
73KB

MD5
d7e63a7e930f88df4b401ff1a94d40fe

SHA1
ff27e63161f40363cfe5dac00cc318f0d74451ba

SHA256
5c644073f8f3af2d0e15e6c9c3f72486d4831c5cbc85d6247234722888f3aaf6

SHA512
f64cfe788adbf8cbfdaf7a0601505c96e9cfd2e0b10ddb12c38b449cdf36c089e6b442a1191bc8a7969d04b17637b555ab66cca6244da716bd6985d81bb37d24

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
73KB

MD5
8638013c109c846a25b29d32de1afd71

SHA1
909544feececc8c5f3bee9e64427049a8082b8be

SHA256
15c66c5b498788b6f9a1b78af25f7867b918d5cb13eba7551fb7dcb9b6e9787e

SHA512
505eb5b5fcbfa1aef4dd610a962bdd9adad311f0b6d2e78e7ca24e315897bc820d9288c70a2985c02aac3c2a1f6223d17f6e909816c8fcf3ce5f9134b0c61556

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
73KB

MD5
679f2dbd7e0a850d004820020754f54b

SHA1
c7d4772f43a8d7e2203ddabfa4405b4ac87f2d18

SHA256
572383ce45489110e0dc899b137e66ca6df41b3a91564056f0a1f4dba71ab5c8

SHA512
1aff79fdeb9191904a71f67166397dad10d913569ca406df38ce4445caaf805c1887a05766be56326ca4ad62d36b578174baec58293b6a0cf8379c3412564ade

Download Submit
C:\Windows\SysWOW64\Dnfhqi32.exe

Filesize
73KB

MD5
b5170c040f829a06fe826eae021dfc1c

SHA1
fdf59120b69c944c7de44e4be5829b0806e4a23f

SHA256
b44a35e938eef1e3d086a38524756ba28c179e2dbf142e341145864424fb4224

SHA512
9a8eb44e7bac9fb7de6d41cfe930e23173dac1a41f0b5c2b8e76ff97589a39358dd8e689076c4d588fc0c63f2aeabc80f146f2077163d31c42b826ad7363555a

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
73KB

MD5
c22c0029b39c4811c79bca8994d756ea

SHA1
69d40a0e969791efe25276719bc2df737c8f888f

SHA256
26165f250d31fb00d9aa32c3536210165b920a608e8062520fad4e920a2d1b1f

SHA512
cd1012a7265a7c39a2e323e162ae774471e4e329b6ed8f49841951953d4b488471d846555d65dc63b5621d257bd2f1d98144930ce54556e5edc5c842c8231716

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
73KB

MD5
ee34d785ecd6aaff4fb2c9f9df16e4a6

SHA1
41529d55e379ffe5052dd77a98c8f53875ec0c54

SHA256
5df4595e2bd75aa34244bcef235d060dc3ea641be167bb4f1d898290628289cc

SHA512
94ff41956632d0089651d31c0325a0feda53f68f40bfefb1060f27a018ffa30b54cf4b7abde4df661dbe5b6530b7dcb7011a2e5d9b8d93e08e803569b02fa4b1

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
73KB

MD5
de37853aeefe3ae46c898b82fe87cb6e

SHA1
802aa23a51689ce6d451306a7c4abc852b7a795b

SHA256
79cad9f8d341791de6624f521a908f603ec692a0478c14787c49191060118716

SHA512
7be185eafb57a2be0f1660a07ae35e3d30bfbf5d0150511de0f361721a8b077dbdd8f4c8f60d2850d1af67dd1be3cd71fa172f2bb47d94df22a8193c094c38ab

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
73KB

MD5
e262f58f45094492c5908e9b7c2c457c

SHA1
1b1784cb9cbd39f937b9d93abb5e9aee2149bb99

SHA256
76e9038bb4518ea1b2910dc26512d1be97e728505db18d8831ee9ef9392f17d7

SHA512
72110e2cfc3cc9bf749b0e59829640113f1d30b637743882c3a549335ea80ab37283df9ff0c4cdac270dcae16d4ff7372910532b6afaa190a7c613a187c1d89f

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
73KB

MD5
484c88d799cc186af447265a9fef845e

SHA1
ccccdbfaf8316da7b6faa343ba69833a3557143a

SHA256
568a9ebae4e5c98c09534c5d64bb19d95b5fd869c1308ee29bb28f127aeb5f2d

SHA512
5078150f2d5f2b8c57a6f9f96eb262911ffa4dd87b66a08343b6695abc96fe62292cd0570db14f2745240a0c6a57ca7043e6d1c17d1448cbcb4b18ac54a0f684

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
73KB

MD5
e2eabd87ca7ae2068db2e5dc471d31aa

SHA1
f0a8985a0457d4887153de1affa8bab5898d83ab

SHA256
9e93c4e5d4692008bd54de0a7eb8fdabb6a31925b13246ee6ab0a3418727c3ce

SHA512
930725ef7ff1c64a7a36f3eaf72fac06e2a3996efbec0564049e5c36f68911d9f97a132143d4e682f369421dc891afd8503c0ac6f545d94f559f51549f5fd4f8

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
73KB

MD5
a60bdc9f44eaa79599df6aa7b622a57f

SHA1
f7f874a5948c37d8014bd3a91a9f0840afb28185

SHA256
b7c3ae662c433ce8bbf0a064d6a76edc1a848771897bce0dac68b98f091cceb3

SHA512
8f648ea2910966c46557b252b1dedc40eb30a5330adbf106bf4369f6bd4386e087a6cc559f309aca432c41d8de14c2d3f343aec17d0a9d8cfd8ad3cacee67f0d

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
73KB

MD5
2cad98adb962f2d58ed94cdc3ac85e79

SHA1
0883751815b655bdb336ffa5220596a9cab901dc

SHA256
ad95cbc57c2e1109d5ecfc28e2dd3692fbac148d6475d5c542676db7baac75c5

SHA512
0902bacc935a9cac83155b5b6a7f0733f1ccd0d221663676f02711142308d06ce6eb77f3059bbc4aee5e02ed729aba8cbb9655f5652119037ac134be63044039

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
73KB

MD5
9e248eb270dd608d8e9f62dfe65bbacc

SHA1
fa0ee2ed5694dcff4c42434192b7f22d3a463cab

SHA256
0803e178bba559ca31cbc1d11458fc7661c2d844b22cf160f0b517d94f8e4982

SHA512
ff7df2daefd933e4c22e0b482d58b44b195f3a1487e986df44e5a753396a3abe9cb09046c761d7f3673bc84c4b9a79810c20aa84f9084e6829e5935134ddbcb4

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
73KB

MD5
a3a2f61b66ab8bfac69d08436b4a4d70

SHA1
2443db0c34de8913258cdacb4df97c31985d35f2

SHA256
f142a8d557949f70f2d42af72bea2b6c8ba35dcb1956100e01d302f74c3ec260

SHA512
6e46c06241e81a0cc58ad693854afb1e08d4a707d9d4c77adfe7c3e3d2067225b3e026793ac11b72ba420ced59a0e5e9e4d281a1f9ce7842a82897be0bd2beb2

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
73KB

MD5
11ad765a50279aa798d505e3a3bd63b7

SHA1
b2c5fa0178c43c1347f9baf808d5ea27d369d4f6

SHA256
33f3c94c8bd4669ca9240a031ad4d467444c32b43af2a6c69dd3aceab2e409e5

SHA512
28c8996e7b290b0d478232f67b1803fc0c629b15534d34ceece93fb474038e4d010507da058954ff1dce682331112a5170450250cd4b6e93498fe690f4080e7a

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
73KB

MD5
f716b23000f7733484106476475337de

SHA1
76815de08be98f984b699a40d82a400007015b54

SHA256
ab0a9a07835bf027d6d9ac8bdd4f33d5e20509422fe74e32dfbaeb5ec8d1bd16

SHA512
6d4c6c921a6784c29486597eefd2fdf91fda2820b3ea1c14d7d3004e867626448dcfc8d26f2480e03ba9d88b5c9633087dca57d9eb7eb458acc897284ad6ad9c

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
73KB

MD5
8606fa7efb44c7dd6dbe56924a91d997

SHA1
fe4018acf22560681ee46ee6c24b5d7e5951c938

SHA256
a1f750bdcdc2acdbfffbe2a044a531fe6b34c78ec811b458d4c8968ce1c58176

SHA512
6af39de0a03f73d35ba0f5f41f91117a8cbbda016ce68cadcbd5c32d9467779777f77f5437598d9b38cec841919c28644448507805aa667d334fb4e1c0edb7eb

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
73KB

MD5
0fe395b430dc30c67cf3abe5db9898a8

SHA1
ad2a287626c84bdf295be6259122f699105a29f4

SHA256
c0a90705718c9b0945f19f338f743b31ef1f7f24746a7acc6040ac11ea52302b

SHA512
32eae11b6318b274394bfc03ba00bec65a5ba61e4be3d1a0891a642df4017bfd47c0890f56e7d87b1990e6bbb380f50a6d581c6438291752b759d7a528805ee7

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
73KB

MD5
4e3eb931394b4c0f9704d4f2dfe82183

SHA1
036dc501a21f90b6037d09f94b6f2dbea6625aff

SHA256
19f7a434383f9c6ecbe9d22059f342ee59caa3ab3775bc344262c902692d11a9

SHA512
6bda84cca0f5e9083eddae0487b4ece4ce476497946830929fe59999c861433ddcd4587b82958b2791ccfa9c1da5334df99f6e956a460528f5a000d3f4521f25

Download Submit
C:\Windows\SysWOW64\Jgpndg32.exe

Filesize
73KB

MD5
31c3b8044a228e84681d480696c71266

SHA1
b82a7bfc0c5529c7180fe8050c784d7323a5bdbb

SHA256
8ac552942013f386c6a7297950714f28b0161da737557a4a08ae7dbff7825a13

SHA512
50fd8fd0a441496b1045f5face72e77af61939617925f50bc5cfa724f3af5b47f79f20724415466807fd26f668daa96be47a6b6f253730cbd4852e77c05b8320

Download Submit
C:\Windows\SysWOW64\Jkimpfmg.exe

Filesize
73KB

MD5
bc415f82bcbe6fada4ab8f3473e5ddab

SHA1
1c26fd2c93a0909ab3d0804bb21af64499682893

SHA256
6ded2d5b3ff6c7b4a7b9a6ff2d940e02264a0d4a7c64e3dd4719d6edcccf5a18

SHA512
1f381f3794022058548f2825e6f8947816cd5cc226019f1b74961763205f0fe41082342eff18c0c1e5a94a6c0c89778cf7539c6971430c7d0318ff612e7d5ef1

Download Submit
C:\Windows\SysWOW64\Kmclmm32.exe

Filesize
73KB

MD5
70478b11464764c386d8192e9fd428c9

SHA1
9402620d3efaf02f9396e1b6322ddefaa7a3a3bd

SHA256
8ded18310d73b85022fa708e0856dfbcf1e020237076d099b2c5946af8506291

SHA512
83cd4320df053aca43804c4842aa086a1141b53e33f9e5657c99aaea81a7f204d4c71d4997628fc9a98f71277ec3cd4455bcb6eae4fb552a173a2d288aaaf198

Download Submit
C:\Windows\SysWOW64\Lijiaabk.exe

Filesize
73KB

MD5
1d770632baa211f25b12b91607b9e87e

SHA1
cff3737ada7bf69b12f0b39160a8a8896d036075

SHA256
79c8cded3547989af7b0ad446b8a86057e3a61afac770d2d7c88beec1f746ba0

SHA512
32381fa4c25218a74bb1a2b72ab38dfa693319616e1520c2a60cdb6ae00682e372ef0b4bbffd211da587cf0073570f9a5485ab588bb6d8371291d9497fa0c401

Download Submit
C:\Windows\SysWOW64\Maoalb32.exe

Filesize
73KB

MD5
bacd3a9953e9f26bb7c28fd13e63138e

SHA1
a0339ca80c1260654d104e8f274c476935b00de1

SHA256
072a36e10ff2ae684558cd2c4f88b59fa94f77c89cb4b20b6f0612d5f5522c55

SHA512
1087e63c13c663479dfe72578b4c6a99908057bb58b4f4758c0553c4bab08b707f2be21004ff05e61be991f340679dd146469e2511951212f81eb67b461f74fe

Download Submit
C:\Windows\SysWOW64\Meljbqna.exe

Filesize
73KB

MD5
1843428a3c6adfb9bdff01b67316d870

SHA1
efc409646eca50d9a43a7cb6eccc194ed42388ca

SHA256
f0bc2baf700c285d8dc9b9847a0bdc30b39982884a77e0bb57f9b5275bd714bc

SHA512
87a771202e0169c3135f66457d99d50c5e7c7aee29c674f18feb121675585e567a0e4880a2f4d90f65cbafc2aa4a6a2651515e22448237e93b5d59c81bd9ce9b

Download Submit
C:\Windows\SysWOW64\Mhdpnm32.exe

Filesize
73KB

MD5
72c9c35f00737cb80efa7063e40b145f

SHA1
0bc21ba5f324160a1449d646eebfc88c9d1452ec

SHA256
74a547e7493c43a6642a2cd485a95ecd9d67c2c4ed1f789a7dd9d6142773a45a

SHA512
be6675dbbb91d5037657df4ed6fb8dcd7832ee3ef49a90ef63c6d61c60ecb48e6d6034251bc7844ffab79717e1ee02ab9eab870bad8399a82a3cefa2e660dfee

Download Submit
C:\Windows\SysWOW64\Mlahdkjc.exe

Filesize
73KB

MD5
c1ad9bb5f6335090c4a7e874a2eab5d5

SHA1
19436ce3d7f59d84e8aa7a4e487bb80890cf9ddb

SHA256
ec34b13493fb8aea93bc956bd40e86e3ddef6a57948a9d7e7a68be88bf8ea95e

SHA512
fef95609e1beac8d36abb61099c6428c7e5bc78e2108831e408a830b571e7da5b34751b1caab71229633e9d42ceb2da8cbe57173f5cd6f98a8927a290f37d2f5

Download Submit
C:\Windows\SysWOW64\Moenkf32.exe

Filesize
73KB

MD5
741df607cbb85850fe7db7a0ce23e366

SHA1
c62ddfce6b5904a9255a4d3cd002d15159f42826

SHA256
379f2d5aaf4698f7775ea2ae2f69c9a753e03c490007d4ed09180e377c6a6f7c

SHA512
d8db8d6699cb623c768fd70996526979dc910db4a7cad15f941f5f8971588d6307f92356ce0acee2b9d9cf47711654a3aa81f47f491a4a4a70621f3dfe6372ed

Download Submit
C:\Windows\SysWOW64\Ndfpnl32.exe

Filesize
73KB

MD5
136af324c0ac452deb8b1aa99a4771a5

SHA1
6433cbf1b702f7f866d145cfe0ebac7ae8f850ae

SHA256
8a2b7c270eec30a6a0bed18b9300cc9c6d56234f3e4ec5573ca345e23550f149

SHA512
c403462659b73f6f69fe2bbd8a4d2b9e704ed706f67735c428c18a91f7dd3dc334f46e71ad8d16c487ca5555a444521ae4bda9c9f6c0d2a1bc26f491b26eee7e

Download Submit
C:\Windows\SysWOW64\Nfglfdeb.exe

Filesize
73KB

MD5
6d9066e82ff2cc7aa34c2a8c94fd4da8

SHA1
bec27eab91616bd03f86d36ea5dc2c5487bcbaaf

SHA256
2bbeb3a53f884c5b4f1f63eaa741c17298928372bef601d67d3131b8692ddbea

SHA512
c6d8b769ec38d1edf1d535a24a74ebfae601886efa37bb00845bd618a42155f69f3d9d1689b6d9bf91aff202455bfbefc1f4a51cc11735e2a0ff4841c60e4375

Download Submit
C:\Windows\SysWOW64\Njeelc32.exe

Filesize
73KB

MD5
6a5f308b1ead90bc40092dc7b78262ab

SHA1
ab8b9235cb5ce4c92fd882f5dbe983d2b4a36c02

SHA256
916729cec834330f5d7193d87f07a9218f1da568b77b510f8b8caf52e5a2fb91

SHA512
cf5e21597788fb49800616d44413ee978b6faa07d0a17704cba841781cf9d7511a78c6ccc57224cc9d4bd8ddbf899020e76aa12c18be55e5ea3a1c14e980b32c

Download Submit
C:\Windows\SysWOW64\Njnokdaq.exe

Filesize
73KB

MD5
deb0035a0c1f8b90d59530146318c735

SHA1
a212b76d83e94d6c7a3ceca641bc1585def591df

SHA256
8d48875b729a2a396d094423cd051cede9f994732ccf2077896b75aa3db9a9bc

SHA512
4c9b18c23cf5d6e15769bf8538b65991a16ddf48e6b0a5cfb1cb907a5b7e3acef607fd534a0bffd6dc383980106a1fb10fb7484f2669c30652ba3e2a46be9821

Download Submit
C:\Windows\SysWOW64\Nknkeg32.exe

Filesize
73KB

MD5
34ef2e505267ded7583d012294d94248

SHA1
90ab0f2335fe5f27a13b214b589c9879b204b0ed

SHA256
6a22be199b0f68f470a26fd544de3f34a8036810a07d9a2df7bf53a1661d836c

SHA512
a65a337599316f6a0ce5206726d063155de3ee4340938e5634315f083ed2f5beacd05f20805187cd0955620cc6f208bda5e80c45d80e20c4faa43e75cd0c11d4

Download Submit
C:\Windows\SysWOW64\Nobndj32.exe

Filesize
73KB

MD5
6ae851071526969647e6c29a7d4a3fa4

SHA1
a8b83ffc541479ff7664cb64046d66a89c4074d5

SHA256
041354782f0c7fb835b64239a1fc65117ad6fdbb0aba0a45a884adf36ef09666

SHA512
3290ea9eff6ecbf481bffaea626982ab491206db85f5759b07960ffd8bd2637e3b21b1c48c4a582ca9e1e393fe7e0b18612a7380f46444af801671e1c49faa5e

Download Submit
C:\Windows\SysWOW64\Oehicoom.exe

Filesize
73KB

MD5
c9b7f18a1160a2d14b8cc6792de4fedb

SHA1
9defe96927c7e994dd488259afbe744acfc50de8

SHA256
ce69c0e5dae29f3e1f6fc232f4c023c0d72b0cdf63f6e00146e2c4f930f740b5

SHA512
7bf722e2d769a0a36c97ffaab119c81c424ac4899eaf11a832be8686c03fd4c24caee3271ad0491a9971936eda54d7c48f667120c306c638ba00f7d545227a4f

Download Submit
C:\Windows\SysWOW64\Ogbldk32.exe

Filesize
73KB

MD5
7482c9d8d7e4398f4de5e91a195db5bb

SHA1
b23630512056f55c97ecc7853dc57574653775e8

SHA256
6da9b5ea49ebd07ee067e1a9a4809447b6e949023322ca3dd088dcc9728f01a9

SHA512
ca76fd2073e9c2fbed3d6958807b700c603bf5fe4e3542012bbb7b49276516a5085bc0b15664d3753ef4a8077e32c6de4337404904c62ad121fb59f014d54996

Download Submit
C:\Windows\SysWOW64\Okbapi32.exe

Filesize
73KB

MD5
0fce2eab453d80625b54b5090a1fe6ed

SHA1
94aeb9c22140e52a4640ed3e9596a5a04cfa6cf8

SHA256
2c5e53f24565af483550418a64b78effdd89adff9b74c074ad614f642c593b58

SHA512
4742986ac8d8a9566e3111609e46326ccd79c192d701e3e3f9428f06320a7a3217ef73e969e61325fc65deb8258c8e6a7030f57430a863753d2175de958849eb

Download Submit
C:\Windows\SysWOW64\Omcngamh.exe

Filesize
73KB

MD5
d14800b8339694452b2b17f93cc50a67

SHA1
7e5bfebf72701059c1aa1f05814723404f84af9e

SHA256
5b424608e448d4356f38e02c13fc25c8195f76e66e63234aa94b523b8fe5fa87

SHA512
9442e8a4142c43d532f87044aeedf6765a657dbe9a6064809398bde57a7471a17222b73605ae60d3a428c7831581c6e3c5d082e0947e9c2ab487bfef192ece50

Download Submit
C:\Windows\SysWOW64\Omhkcnfg.exe

Filesize
73KB

MD5
a60bef544ff5357d1c46153edc3bada5

SHA1
412786d3a9e922e2f62e0359a0e0a70324643798

SHA256
fbe8446cfa80ce290d32df514f42ae334d9a3b68991a73f1e0048c4672a73c30

SHA512
10b099cc8245247be96c85f11fb794c113007568f4e17fa3cbf4f381169e2f9fa65a3601625a6daffa39f42b75c5429042bf7546b4a23ec17bc6cad273af2119

Download Submit
C:\Windows\SysWOW64\Onldqejb.exe

Filesize
73KB

MD5
f52db91527eae64dfe33829b2ca2d924

SHA1
81624638d913ded8ff3e3e579295f98e3fcfbb0b

SHA256
adcacd627153c2b17905759d6c092af7899c36ad04394d0cb42f03d3d49304d1

SHA512
c8d77343bb5a39ea91f18771f480692fa00f8f2227366686fdd574fa2b61028658eeb03454bdbd778a6f0755d792833cf037bb11cc5129622d97750f8dbf128d

Download Submit
C:\Windows\SysWOW64\Oodjjign.exe

Filesize
73KB

MD5
747df3ad23b4e29a01ffb7e131ad1032

SHA1
6cb751061c7caa7aeaa8f7f67d40edb2cf3d9033

SHA256
5ea76db396326642daaad2020d708335893092473efd5b8f92718cc08ddcc9e6

SHA512
ce076440cc70ee913d24fd33efdb8d94212aa6f1658d7fd11c8006780a6ec30edcf9e44d4126a25610d6ddfd9245904df4fea34b0a46c03519e55bf4df4e9152

Download Submit
C:\Windows\SysWOW64\Pcdldknm.exe

Filesize
73KB

MD5
17900a64503e962e6938f3908f45610b

SHA1
5f6577f463b0afdda0b285ce2cb7859906ca2643

SHA256
c99d2cd9f3f68052ea6eda0d903951da83ccad47b70202cb9951b75434305a7a

SHA512
86f9d42db5b130c4712589452c59c128c2615999f4695897c00d40a1cdcc0cbbde683a13e63d8c374a7ee1caf43b61727cc291e804d9fa1ac35acdd7b5ce2867

Download Submit
C:\Windows\SysWOW64\Piadma32.exe

Filesize
73KB

MD5
ed8a63e87de8409c5552a5bbd72c5b2c

SHA1
cf7d7e1bc2b5bc42f653d432f5489e37f9e04473

SHA256
11215d65079c59a5f2556a466c69340f1db52ac8ac4faa248513371490a10869

SHA512
179b6439eb139a731de761dca224074b02f1896c75c866315b7b4b014cf76fd40a959c35c784f27b7d5977f0c280e85d7c1e91d20da8a3cf3b124c13c5bf978c

Download Submit
C:\Windows\SysWOW64\Pidaba32.exe

Filesize
73KB

MD5
2a68cb1326e20cc5dfe53b78a1ff72b6

SHA1
8d169eff61faaea0b16401a718789c6e7e745a1c

SHA256
c7d2c01d5cfeaeeed673115ea22f6b4f700eb52901edee7532b03f310d363945

SHA512
1cb344442df26f8957a60dec0f36ddfb53bc34bac6e447aa800d09c263c11b8513e3e2cf9e003ad9a5cba96e6282f7dd2e68c8e82575d5ed6c15f8bd7e556805

Download Submit
C:\Windows\SysWOW64\Pjjkfe32.exe

Filesize
73KB

MD5
48da090dc2148c49d2221026971fb123

SHA1
2841e8615bb9e1b6c17d8c0594e008535c7e6050

SHA256
68c65fb173e1ff19a37dd6cc284d1466ad7ebca8dd943aaf850ea03bced02f53

SHA512
a6a0e7ed1ee09061e03ae812f451f1ed6beeef542eedc2ec71ca2df07583f6c12f91c9daed8b938f165daea0c4de762846ebf6a47a8954bc0db1f9b9815b8e11

Download Submit
C:\Windows\SysWOW64\Plndcmmj.exe

Filesize
73KB

MD5
bf63735276e0fc0f706ec745c698621f

SHA1
78cc3f1d257f9cbaa1569c9090a25cf395b56515

SHA256
7564470433acedaa040bb7978eeba430af767149eac775a42c4225aec32e9fa4

SHA512
6677114e422ac2f850914c1f299e2927eae60dc932ba14e53b6216e7d58770a6565cd21d799d52f7dc56835c2261f643dd8228887521486d4fe42695875c44d3

Download Submit
C:\Windows\SysWOW64\Qekbgbpf.exe

Filesize
73KB

MD5
822ce83a962547b62e061bee19494e04

SHA1
1a421f91803d1b5a8aa074aeff74f493bb65df16

SHA256
28634126c6e39eff3c85201bfa74fe21f3ab297e8fe07f293c45bafab0cbf56b

SHA512
7fc764727442e6f848799c95de3f528ee087e5c847b78682911d75339a3bde7a083bc1445864001d29aa28118071aadaf7af3ada3d88a2ac06386653952f1e12

Download Submit
C:\Windows\SysWOW64\Qjgjpi32.exe

Filesize
73KB

MD5
f061e8b4bde1acf82bb591c7d8d4368d

SHA1
9ec5ded123015af044b50968a175f49b9fd74515

SHA256
218f30a340f782d83c3674eee445cc940225e6fbce07fa4e763cbbe0cd419539

SHA512
fa6a66abd34c538082aaa443ff8d9c6e1ef11e541fb1884791d3cf6dc55a784d1ea3f1b17a8ff52f658a509bcff754a31069a19b589fef32e5817f4b86041318

Download Submit
C:\Windows\SysWOW64\Qnqjkh32.exe

Filesize
73KB

MD5
45760e54b843e105350c7228310ec95a

SHA1
a19805368aada66de80e6cd8ac272c587d60bd41

SHA256
eb781701acb05d9ad536fbc2531c1d746ea3d6ff9d3347aebdecdd4101e7ab5c

SHA512
f54e04d666da040938a2f54385a359467f858504ab737c63d3a69a8ec0c97a838915a8c302aeb5c4a32287e6fa6cbf8ea1feaf1b1fb82deaa112f353dc516012

Download Submit
\Windows\SysWOW64\Jacibm32.exe

Filesize
73KB

MD5
f86f5888aaa8502e739c10a51d49199c

SHA1
a4aa149ebf28ad54db0a425952ee27972a327da5

SHA256
e56e10d3ece56f7d14804546a405ce0696285ef6db82e1bca361454cce2ba726

SHA512
a228a1a294323f0b65e7bd5be29aa08f43726d8ccfc375787f60f68402614e45f984782cc38d79885aa5563d6b6224cf17e0a378b34d13c6c8a6d0f1224b001e

Download Submit
\Windows\SysWOW64\Jajocl32.exe

Filesize
73KB

MD5
da9160c14bd56293664b8d220cd4b628

SHA1
2c48a3e983e11faf4f910470bc465a2faba638ce

SHA256
016257cc285cd7ca241745c4c9d52b5d44040db87764466bb8455373ce55a33a

SHA512
34be7bd03f3a87a8a38e75a636a02cb065ec284cd9f6dc554330246f5377069628307dbe8c95df5ed003e0dbbe37c8a6abd14ebc56a3e75c648c93c56de76ff8

Download Submit
\Windows\SysWOW64\Jjnjqb32.exe

Filesize
73KB

MD5
3fe526fdbf47248f48e1a7f49ba440a6

SHA1
d20e76778ed345d51a45d6710dd47127d3b927fd

SHA256
d1b906b209c7e584971d7fc5b07ef41a381af00716de3d6f77e8a219b4233434

SHA512
48f582bed758e973730759e930e4f1161d066002637a0d4203aeca7dc3963a953bfd4bc19d552ebcfa12e77f779140694917a4f8c87a6b74ff5afdd4adc7a87f

Download Submit
\Windows\SysWOW64\Kgdgpfnf.exe

Filesize
73KB

MD5
28015daa7a5180d3df9d5f32d9e5ad00

SHA1
5051a88eccdad3495b696e9fd6fa9368622e2a45

SHA256
38135dd533648f1cb71f1e6922ba833aecbe29237c9fe85e176a4bd309815d74

SHA512
8322f9c0a8f2d3e095aa18f67b9ee3c48490a87823cdb6e37795efdca92d275688f08ed69d4872499e67a7d66b4704055d5f88d33d9754092acc5c872eb38ce0

Download Submit
\Windows\SysWOW64\Khojcj32.exe

Filesize
73KB

MD5
6ea7470b5098c4584ffc0be17e3d5184

SHA1
d3c61fe6b73709d80e8e53350cf5bfe21dff6e78

SHA256
b6eaf045bbb4ad97acdb426c86978ad5fb4dd248a07ab9a3e08875fb31902e7d

SHA512
6242f0dd46bd81ec6f6bac0b4698b1db63b22763a56169cd056eee345d250fb5a004e9b11fedc322f323b5b2bceeafc0729e78785caa1fbba2b7b5f802010192

Download Submit
\Windows\SysWOW64\Kngekdnf.exe

Filesize
73KB

MD5
8c2b06d3c9e5b15aed6a3ae34d94ad8f

SHA1
0a1c895ad3e48d8d070f075f44991465e79d81dc

SHA256
7a3a6e0b046e26c586812da1664d62f59af7cc1e60b755040b57fbf28ff03fff

SHA512
e6b364677066c4c3223a3de86c7a501389cd545dce701ad3925c8a585afaf699194d7efe4366aefac3aae28992bd775e16a1f0825f9dde2416b66949dce0131c

Download Submit
\Windows\SysWOW64\Lbbnjgik.exe

Filesize
73KB

MD5
5240acfb502ed4ff4fff91fdbacccdfc

SHA1
9b6ee0eea5ac4f7898378a9c6e7d3c579da5c21b

SHA256
c19f010c713ae233cba9faf495fea47a8594779d8eefa13362cec52d43cc837c

SHA512
c6759f307229a3c7b8343e32f5650323fe791a2ae549ea971480a31aab881a982f210eb232a3cb0618932e090e2af39767d489ecb70bec2882c55b63098ed701

Download Submit
\Windows\SysWOW64\Lcdjpfgh.exe

Filesize
73KB

MD5
5235f8815d1cc9700090c30a5f159e2d

SHA1
13233b58b9031d61e77e90708db28f660f6d461b

SHA256
d17794d7a698a7f61f845096dd57d18c67c35b9960400cf589a59961fc4b40f9

SHA512
b1b2d93c7e9faff76fa75aa6dcc8624407bc7d8fed1ca7b1e53c005ec0bfd77ce774c40a50b8468230a97400e12582d89f287c4eddcc5a37a3c75c0cd0e3062e

Download Submit
\Windows\SysWOW64\Ldmaijdc.exe

Filesize
73KB

MD5
b2f63b64345661de0ec42629a8069e1f

SHA1
69a910ef5053c48cca827ed16834fe12ea821294

SHA256
ff2fc799e4e5ecd95371f51c9d57cbd138311429dbdeb2aac5e0cac6120fe8ab

SHA512
a85e365f60657d3eb3a8b957d3b8cba4b3862f0ef3fc2a4f97350e88cda96636c7da90a289cccc91be6adc9d874ea5dff2a6c97418c53574f5a9ab40b071c898

Download Submit
\Windows\SysWOW64\Lhdcojaa.exe

Filesize
73KB

MD5
b31ec8c88a4c6cedacdac022af2422ca

SHA1
1b5d68a4bbc39b176bbc6e353c503d0312cf27c7

SHA256
60876a85719b209080d8107d0d93d88cfaeab0ec7bf5b31a44655d247e8c49e4

SHA512
d712991448a88ef308d4e4fb14c21d14743d138886faf14f1f5661fe4435022a9dbc0be38df893b20dbfb87823df1119d29b4e60ec8e61ad4448cefeff8d64dc

Download Submit
\Windows\SysWOW64\Lkelpd32.exe

Filesize
73KB

MD5
16679cb004df0fa348c4a9b4f015ec1d

SHA1
b1846909044e1af05a130d8216c587916f48eaf2

SHA256
a4c8225399a38fe29101ae14534c6a761b910a7d9ae1cee2ee604b690a978c1a

SHA512
7ed1e904ebcf662263fdb1062ea63e6b1768ffd644ead545c33db6c7eb4885b253fe6cf5a2f6df4cbd137c58caa8d7509e5951e579e45198495a7669cccdf731

Download Submit
\Windows\SysWOW64\Lolofd32.exe

Filesize
73KB

MD5
1dd16a59486ac0a3ec39bafe1ab9fbb7

SHA1
60084fc4f38e0e4b67368f7027116d8d0c1a384b

SHA256
cf11e2d569a44efdf9bba1bf35a02d3aa3614c13f07389e91653f20b5d188766

SHA512
e05333d8574c753d4f2a806889c04cc9c2ea6d7e08c196560b92783b776543a26f820a3e87cd80ae4312467807885d39d3922203a8010ce5c93db08804278ce9

Download Submit
memory/316-235-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/520-463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-172-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/860-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-300-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/860-301-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1012-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-12-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1056-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-419-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1056-13-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1056-410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-146-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1084-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-454-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1092-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-453-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1268-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-398-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1292-400-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1488-270-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1488-266-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1488-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-82-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1680-77-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1680-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-411-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1800-294-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1800-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-284-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1876-276-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1932-249-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1932-245-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1932-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-226-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/1948-212-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1948-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-259-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2188-477-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2188-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-352-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2216-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-360-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2260-428-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2260-423-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2260-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-494-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2388-191-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2388-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-308-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2472-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-312-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2484-487-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2484-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-112-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2536-105-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2536-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-393-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2612-388-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2624-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-374-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2644-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-383-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2652-320-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2652-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-323-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2672-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-367-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2672-366-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2744-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-48-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2744-73-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2756-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-330-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2756-334-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2764-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-344-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2780-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-349-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2800-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2828-45-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2828-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2828-434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads