54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe
Size

136KB
MD5

ef0cb606081c95a07bd29ddb7a897120
SHA1

cb3036603818a8d28b5791b4149a982e28ae9093
SHA256

54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5
SHA512

47c1cbe20c9b42c61a0454d6f29ee733b523dd04767e3995cd5c3c79c583e1c1ee6dbe22434688b330eccea7c3aad9df5bd35f8412d6cb52b795666339189a29
SSDEEP

3072:844FHVne+3GThyKSaRPXuhuXGQmVDeCyqOGbo92ynn:844FH6PXuapoaCPXbo92ynn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe

Executes dropped EXE 64 IoCs

pid	Process
680	Kplpjn32.exe
1284	Lbjlfi32.exe
4828	Lffhfh32.exe
5028	Liddbc32.exe
3472	Lbmhlihl.exe
2108	Lekehdgp.exe
780	Lpqiemge.exe
1384	Ldleel32.exe
4944	Liimncmf.exe
3932	Lpcfkm32.exe
1584	Lgmngglp.exe
396	Lmgfda32.exe
4948	Lbdolh32.exe
4748	Mgagbf32.exe
3576	Mlopkm32.exe
2296	Mchhggno.exe
1792	Mmnldp32.exe
4048	Mckemg32.exe
544	Meiaib32.exe
3048	Mpoefk32.exe
992	Mcmabg32.exe
2484	Migjoaaf.exe
2068	Mlefklpj.exe
1604	Menjdbgj.exe
904	Mlhbal32.exe
4268	Nepgjaeg.exe
4192	Nljofl32.exe
4672	Ncdgcf32.exe
2312	Nnjlpo32.exe
2140	Ndcdmikd.exe
2336	Neeqea32.exe
1004	Npjebj32.exe
3584	Nfgmjqop.exe
1884	Njciko32.exe
2656	Nlaegk32.exe
4164	Ndhmhh32.exe
3924	Nggjdc32.exe
4916	Olcbmj32.exe
3488	Ocnjidkf.exe
1388	Oflgep32.exe
3192	Olfobjbg.exe
2856	Opakbi32.exe
4568	Oneklm32.exe
4632	Odocigqg.exe
4716	Ognpebpj.exe
4288	Onhhamgg.exe
1288	Odapnf32.exe
1476	Ojoign32.exe
4020	Oqhacgdh.exe
2680	Ogbipa32.exe
3400	Ojaelm32.exe
2636	Pdfjifjo.exe
1864	Pcijeb32.exe
768	Pmannhhj.exe
3384	Pclgkb32.exe
2768	Pfjcgn32.exe
4968	Pqpgdfnp.exe
2736	Pdkcde32.exe
4092	Pflplnlg.exe
508	Pncgmkmj.exe
4468	Pdmpje32.exe
3412	Pgllfp32.exe
444	Pjjhbl32.exe
2648	Pdpmpdbd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5984	5852	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 680	1564	54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe	82
PID 1564 wrote to memory of 680	1564	54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe	82
PID 1564 wrote to memory of 680	1564	54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe	82
PID 680 wrote to memory of 1284	680	Kplpjn32.exe	83
PID 680 wrote to memory of 1284	680	Kplpjn32.exe	83
PID 680 wrote to memory of 1284	680	Kplpjn32.exe	83
PID 1284 wrote to memory of 4828	1284	Lbjlfi32.exe	84
PID 1284 wrote to memory of 4828	1284	Lbjlfi32.exe	84
PID 1284 wrote to memory of 4828	1284	Lbjlfi32.exe	84
PID 4828 wrote to memory of 5028	4828	Lffhfh32.exe	85
PID 4828 wrote to memory of 5028	4828	Lffhfh32.exe	85
PID 4828 wrote to memory of 5028	4828	Lffhfh32.exe	85
PID 5028 wrote to memory of 3472	5028	Liddbc32.exe	86
PID 5028 wrote to memory of 3472	5028	Liddbc32.exe	86
PID 5028 wrote to memory of 3472	5028	Liddbc32.exe	86
PID 3472 wrote to memory of 2108	3472	Lbmhlihl.exe	87
PID 3472 wrote to memory of 2108	3472	Lbmhlihl.exe	87
PID 3472 wrote to memory of 2108	3472	Lbmhlihl.exe	87
PID 2108 wrote to memory of 780	2108	Lekehdgp.exe	88
PID 2108 wrote to memory of 780	2108	Lekehdgp.exe	88
PID 2108 wrote to memory of 780	2108	Lekehdgp.exe	88
PID 780 wrote to memory of 1384	780	Lpqiemge.exe	89
PID 780 wrote to memory of 1384	780	Lpqiemge.exe	89
PID 780 wrote to memory of 1384	780	Lpqiemge.exe	89
PID 1384 wrote to memory of 4944	1384	Ldleel32.exe	90
PID 1384 wrote to memory of 4944	1384	Ldleel32.exe	90
PID 1384 wrote to memory of 4944	1384	Ldleel32.exe	90
PID 4944 wrote to memory of 3932	4944	Liimncmf.exe	91
PID 4944 wrote to memory of 3932	4944	Liimncmf.exe	91
PID 4944 wrote to memory of 3932	4944	Liimncmf.exe	91
PID 3932 wrote to memory of 1584	3932	Lpcfkm32.exe	92
PID 3932 wrote to memory of 1584	3932	Lpcfkm32.exe	92
PID 3932 wrote to memory of 1584	3932	Lpcfkm32.exe	92
PID 1584 wrote to memory of 396	1584	Lgmngglp.exe	93
PID 1584 wrote to memory of 396	1584	Lgmngglp.exe	93
PID 1584 wrote to memory of 396	1584	Lgmngglp.exe	93
PID 396 wrote to memory of 4948	396	Lmgfda32.exe	94
PID 396 wrote to memory of 4948	396	Lmgfda32.exe	94
PID 396 wrote to memory of 4948	396	Lmgfda32.exe	94
PID 4948 wrote to memory of 4748	4948	Lbdolh32.exe	95
PID 4948 wrote to memory of 4748	4948	Lbdolh32.exe	95
PID 4948 wrote to memory of 4748	4948	Lbdolh32.exe	95
PID 4748 wrote to memory of 3576	4748	Mgagbf32.exe	96
PID 4748 wrote to memory of 3576	4748	Mgagbf32.exe	96
PID 4748 wrote to memory of 3576	4748	Mgagbf32.exe	96
PID 3576 wrote to memory of 2296	3576	Mlopkm32.exe	97
PID 3576 wrote to memory of 2296	3576	Mlopkm32.exe	97
PID 3576 wrote to memory of 2296	3576	Mlopkm32.exe	97
PID 2296 wrote to memory of 1792	2296	Mchhggno.exe	98
PID 2296 wrote to memory of 1792	2296	Mchhggno.exe	98
PID 2296 wrote to memory of 1792	2296	Mchhggno.exe	98
PID 1792 wrote to memory of 4048	1792	Mmnldp32.exe	99
PID 1792 wrote to memory of 4048	1792	Mmnldp32.exe	99
PID 1792 wrote to memory of 4048	1792	Mmnldp32.exe	99
PID 4048 wrote to memory of 544	4048	Mckemg32.exe	100
PID 4048 wrote to memory of 544	4048	Mckemg32.exe	100
PID 4048 wrote to memory of 544	4048	Mckemg32.exe	100
PID 544 wrote to memory of 3048	544	Meiaib32.exe	101
PID 544 wrote to memory of 3048	544	Meiaib32.exe	101
PID 544 wrote to memory of 3048	544	Meiaib32.exe	101
PID 3048 wrote to memory of 992	3048	Mpoefk32.exe	102
PID 3048 wrote to memory of 992	3048	Mpoefk32.exe	102
PID 3048 wrote to memory of 992	3048	Mpoefk32.exe	102
PID 992 wrote to memory of 2484	992	Mcmabg32.exe	103

C:\Users\Admin\AppData\Local\Temp\54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe
"C:\Users\Admin\AppData\Local\Temp\54b04d2ab9b3b14a5bb8933741721b6c96868a21e792b3ad4b2326c2f0e7cda5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\Lbjlfi32.exe
    C:\Windows\system32\Lbjlfi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\Lffhfh32.exe
      C:\Windows\system32\Lffhfh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        39⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:508
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        68⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        70⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4256
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        77⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1316
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        83⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        84⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        87⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3236
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        97⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        104⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        107⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        109⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        113⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        119⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        120⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        121⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        128⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        134⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        136⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        142⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 396
        143⤵
        Program crash
        
        PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5852 -ip 5852
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
136KB

MD5
65bfd1902651a94e5cd3d980213373ce

SHA1
f11057a842a28a7fda079e93e94989417deda310

SHA256
56e784e94137d397de186f58e91ec745245be07b2caa065de154f94ee4f23468

SHA512
e8030df81993b847c621f1a68a6bfa045d00d22f08e22ab7307b2408973b620550d97a121266b358023f7c850f97fc002d761e0d601b651f50c40899685f256c

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
136KB

MD5
c90cde80a6893329f31eedfda58c44c3

SHA1
c7a290c2b316f81cc8fd0e8717fc21c2472f636e

SHA256
9e15462cfb7fc4375f3e1c58fb051b30384b776200c698a30bc21a681afbaeb4

SHA512
0776f5682624d2ffe8a962e2438d14a34e86c2d38db27ccf41d1aad562a8232516e46215ce54edd68e6e16a609333b0a46d41f2226c6a0dbba5699967b299660

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
136KB

MD5
f496e97c0d635bb841197e6051200a14

SHA1
32be06e5679d4b008128d871aa2181de10cb0898

SHA256
64743dac9c71ef1716bbcbc0c18c6947e6a647e737428f70e748ac0b3c12eaaf

SHA512
3c3883f83c2368c6f20e217930e7703bea9a3218f1e210606402df82e83b2c508f31dd2704a3ba0386f4e7f7983be7b4e37cdd978da1c015e6d9a8568e4cba4d

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
136KB

MD5
4a4ec7b7d93cbf32de7b48842fab3639

SHA1
5e9ccdc940229e9596b6f03179b9536d986e4b8b

SHA256
812be4f2c2ba83a9ad300961f50c7614db01b7e68ffe7419977bfd99cd7a6c8d

SHA512
5e919839c6d48bfa13be35770e8496ea63a490d5b69ab8a4e1fc7b93cfd00e7d773266fa5e1aabfb33cda87dc7cc7a77c092d4947cd76b453bc29bbc52efdccb

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
136KB

MD5
4de0f765a4247abcadcf839c0cd14c81

SHA1
495db42d05bea1af1d12a75c5592b29ed12ec162

SHA256
6a0c7e55f6b7ad71d6bc22fa1ff5b4286e35795d8044c0985cc712ed77d0a4a6

SHA512
b32a4044a2d375922dac1eaa0bc062cdb56d733cc222c210af15bb7affedc14491c34b0d2c7d0af6a3f67f98b85f6a2847e2c1bd8d1fb220ebe5c86c0cd8411e

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
136KB

MD5
b96e343b9f9c9484d05a39f39a9b224d

SHA1
5710922b26e8cbd6a4b1cd133c80aba51ae3ac1f

SHA256
8896ef241b5ca36d002a35c69cfda1d31b42630f8b118e2af8b2034a826ba8f5

SHA512
ad9303c9bfd0a8bbc5414f2cd29cceb366b6d7d47042ed9c832e31159b32680c2433beaf6ecdcf1f1061f5d682be11e9011e41ab60694bcaa241325e2961ad91

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
136KB

MD5
5dd54f237674c88f8816fce4f245dd65

SHA1
f17a01222bd3ed6a180460d0f37cf1b1adfb644b

SHA256
a5ef8f8c37b7b1f3cdcaeae9ed830c57561380992d78627f542e648d64eed0d2

SHA512
7cd0124e3378abec74e8f1f89f98fe322ec571b9584f32fef6b6aff59c9fda7ab0a0114ed15c8ff93f6292d35558448702354bec27251080d299d3807bcafc87

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
136KB

MD5
df916b5f54cc9aa6ab95af1c6f4690b7

SHA1
39669d4403ef6dc78a2cff9f21b3924b3a0cb14f

SHA256
aa6c400e3ad882c1fea887f540ad284211cff3f64da162c378410d42561d8f7b

SHA512
53695c637167ae766156b4f2e7645c1c5e27d436804579d9448d91aa8ac8e385e01bb273553e461885e050a7b7c2def2114e4649d77d009fc554e642c56505f0

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
136KB

MD5
c495629090312b071f4dc54581dac1fe

SHA1
450654b9b2b407bc62c6e676e1bc5a52352b46b5

SHA256
d10c18e3d422bc1f6b6c35eb079f1d7d4e5f70673dec2da19ade03cc16d9b09e

SHA512
63f3aef3ae684e26c1e0d9a53b803a22a6a1c8dd65cf44906b1f2ac6c73c830f93064c72871e8e8247885598e3f2146687dfc154c66ff18d966195e885636227

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
136KB

MD5
d15e343c90544c7f5155f2d275f453b8

SHA1
fc6f8373a37b9eb366f25ab0de2ca182e86b0838

SHA256
160afe2aa4095003937fd40a0cea88798155676195fdb5f4bc32f2a6bcb14b4e

SHA512
4477226afc40f55d17a84b4d9cbb0e48dea29b37e9dd1ef9e12d529a691468b5b6472397b3b652eaab5e97c6933774df0d900e749757c1b86042ab3447aaf952

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
136KB

MD5
f6880a7382f6c4c68e5b2b3c7001244e

SHA1
bcc4deb9ac8417b5dde99a3027195641394244bf

SHA256
21511388fb9d5f64fd69e044da2b8012e3fb3a3b3e23a93fb729b3f8d15e0948

SHA512
802f160c005a3ddb870048aec1988eb7ba073215fe1ef6e1c11aea9f99ed7b4a7dcc28dd5e82599747b60f3a77feab0d182c0b8c85d0c2485ffe4fa29b7dd7e0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
136KB

MD5
3ad706a7ba437032357a854e8c91616c

SHA1
1c55eec8be1fca2f1924a67229bd7e67a2c67063

SHA256
9fe08d505a8061e4f816a7188291e212c15510a764a925091feb716b7685b421

SHA512
644a1a96da48a1b1471bbb1752c4e51a2ca1ec819c9e0316042251958423df40489c67c12a8684e86eabb17d9b865fbe8d5fa34e2d2996b175571c99af33a927

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
136KB

MD5
94d69ed15f8f1bb51c15aa8ed0663c54

SHA1
a61814e93fbd3d77f1939ca5860c795c9285c652

SHA256
9981e5c57f580ba32871eb4be504c8b1667a8bb9725c1c57d0b8d4ef7b843c7e

SHA512
83c703c7febb724d20f6a0cd1ab3716dea2ea1fde3bf9a3b1cc1039ade8c16d768987b1552f037527f9543db548a8d826fc25721eeb855334c547b51d981d4e0

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
136KB

MD5
9971e255d9cb06640eb4d493e41f6848

SHA1
6a5c71d91ffb27cdd9bfd890d937b50da7303fdb

SHA256
3b6cb32c1d3919adb8baa79f3b34dba934555459c690b4abe1febe3513f4cd21

SHA512
91a4f45d7bdcf1dbede0a10e2986ad6052ec9168ff99d2c9f7087a0501f749922edeb0d975cd31924472867d5de2ab23231da44335a357324bcac049baa1b1b1

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
136KB

MD5
ac4a701ead0b896f643b34940532ed42

SHA1
a939530e869a62d7e9466d70cff623fa0bac1312

SHA256
b6fac06e15f99005ec23650c9604185f7aeaf793bba21a70be5bc19600fc7403

SHA512
19f3e57b588efc1434f70122c44787a56a4e6e52d42964648fcde070f0430ac8d80b4c63f678f5a8b3d614cb34ef670d1852f8f987cb174ea4cefd0b79db4cd8

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
136KB

MD5
b211f0973b1f0c698a651cac931ad276

SHA1
11af794f874c2399a73572c8805cceba63e51a2d

SHA256
29d8f050ce8006a490bff7c4309fb9d5115c5de82d8c882f05c67fb03ad27f50

SHA512
62563e7cd268acf0f11add2b855e1a52e5fed6360665e8add076851e8fe0886c623cd2cfd5c3bafdf86d7ef328f91be665195ffbdcf136a6cf008fdc5138914f

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
136KB

MD5
95dfbd0470c167385f24700404a04911

SHA1
20e1a3bb68a0734eb9f318b16c37c9a09aaf2b95

SHA256
5ae450d72ce905982e864184e8992d95cf2ecdc404fa72a7da563e06fed47ccc

SHA512
e35d169e8ac000f39cc237e572ba16bb81250dd17a26aa6ccdd9f926619624a0097a21d6a1b5ce05f258d041433a3e64068a83c3e832499942362a90f6791a34

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
136KB

MD5
ca7bc6d4a564bc0222ce4329d9f3e514

SHA1
a6fb14109483476e3eaf820bc7ddc246c347e02e

SHA256
812558426a806365544dc9382e9d14d0d7cb33b53a85f523591d1505b2cd10e9

SHA512
e2af30011ae7b5d0ed29198b0865750651a3c75e2ab567505cecefb70cba16816e0055701c59940f570993b832b59a1dedd2075df2f78aefa63a682edbff3249

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
136KB

MD5
56ba3f050a2e53652996b8c141229210

SHA1
d6edd6e4aedbe5170398494ab400985dcb05138c

SHA256
81741b1980d7f900c9f9b61fe76e0669f912e775e04f86b4b4ba162821b5fd20

SHA512
f6eb1fac796735b52515e8fdab3a3f86300a826a854c0212bcee8757130f702fd39774b0be9c38c111650b41e6f5a5c1481411c7be615baa92f902666db41b36

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
136KB

MD5
fefed95a3b767de5b032d817a56b0930

SHA1
107364eb7d0d4db63f380e94afab216668a655eb

SHA256
3e89f43d84f0f2f61aa3d94265ffa3e5c035c2d1c73dc49a94f0fa2f94619fa0

SHA512
9cd0520353dcaece7b55ce5ec50a0a4a6760491b1d902d7d82fa0d388606f6a927f50fcd6d330a33c83f53bcade0d677f9693e7b178724b7ba13a364c8c6c7f7

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
136KB

MD5
f6ab02a692f39c261ff6d43ed1739dc8

SHA1
e9ad2de40f4cd5d21ec93a672ae3f9261a269fd0

SHA256
cb0299039e8b7a04049de59138f518e46adbe4be89d76f195d71449a3db67b79

SHA512
72c850862e4883f5582d8a52499f1d75df3eaf907ade8e7158a92bebbc850a586f73a77f80c5a090b5ae9416c082ef57db77a23d069593740ff6ce6e050aa11c

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
136KB

MD5
20f2054274a20c37ccf2166dd0a042d4

SHA1
c5849be37180c1a6f0b26710a920a654080174ba

SHA256
025e01ee6b675a3e36bd420d2a21846715f447f9047807629b80463122ac545a

SHA512
1c995b00da11f6cc3c1738f2f1f3e1dd516b617a339020592f04d068ea6b4953b8ac56eb5aa2f81b3e4605ac9b5d77f9168a45d63b6eab2d844268c3c79d8060

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
136KB

MD5
d65e259bcd0df00c49a43f84a764d475

SHA1
d79508db7eda0db798b8a4cb9bb381206bf31fdc

SHA256
3cf3109bd47f2f03e111a4d5a42ac1ec16b8bf7429816c744af4546abb54b475

SHA512
4c3f1a1ff7e09b56e3381931274b9d6518cba7d76ecb552f2b131d718792ff6e1ecf199a84e3bc3173bcef4107ca2117ffa74b88677241d1ab8f44bf3a1b0f8c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
136KB

MD5
75bab1ac5f90d980fdaa3f3482fac136

SHA1
c5351b0a8c939de3c0d39fb35b0dbeae03cdfaf4

SHA256
d854810a9fa54e6d8a0a5a32273cfb4f217c697735868800f374e76c4bcf92aa

SHA512
4f84dd3d709b804fe9f1b95a8c8fcb805a6fddb028757c38e25cd804429fe08fca636809b94a99001627623dc55c77065aeb38585e03ae788dc317239e82f157

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
136KB

MD5
6e04b0c5b299cdcfb7e37edf8364fc32

SHA1
0b7b9983f22832909e8f8fbaa4c4aff958aa1175

SHA256
8603c3e628f132f30bf9105a3d121e99d096433ae6f786df698bf3f6cfe332fd

SHA512
1c4c87386b00c41833f893dea03bbf21130972e4e088240e4b8a704a699b3d90559862deaba04d77a36f62e88bec7fa95dba2030943369d8fccd83936d78bda4

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
136KB

MD5
78b0b8df44d84fca26ee48b4f618fa21

SHA1
9cdf5f690abee6d714debaefe10b03368b95c719

SHA256
93bbe58cdd22f8de9614d433234f3da3a6669479e49766b9f3f5aa509248a177

SHA512
7e4464aa617fa06e10fb4f322fd6eb098ff14b5c2d92d55f62355d8905064973dc57de9fb03115b69724c0e88609546262bc3eaf0c7758dc9e5457a2920dac65

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
136KB

MD5
ef996b46f700292655ba0e82b12eee5a

SHA1
f2b8ad303c8547a1e9494899ff738ec7f400d281

SHA256
be767eb968714b4e8fddb94cc7fe3dc09861eb19fee63b27fc01a386b10ba399

SHA512
e83fcb99d54604201f4de4b973d5342c549b5406c8e4dccb8773e510acd42d66af082dcbc61f3934147dd703a8d6340cc265cb40b950603150bb8eb6509d9ebb

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
136KB

MD5
8674de7efb5c14c69445cd1a5ddf70d8

SHA1
3079603d3aa5acb029c8f32f6b099c882778ec4b

SHA256
efb4993dca617726700898b8737504c4cdbc1962e38460f6890565396b5939c5

SHA512
4a47c8f907e4c256e829507552124e477f76d8728bb2b4baead8466178cbc257369e591803bdb57bbebdad85f3c67955d3e4218efd4914745ad709f169a1d616

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
136KB

MD5
db67662132448023f09df5f6cfd675e9

SHA1
3f6eb85c6c8318ca3c26a1ba7bd01a469afd0b2b

SHA256
e348f3b257b7effd464112a211e62d092145d2e257845116ec4524d824bf78cc

SHA512
dc16506bd5f853b2a1338ee01e20813dfe03fcffe5f02a84a2ddf4374e8e58a2c6dec427cc83a40c84ef531f1e589d2622e5ec6348cc0143fe323719b00c0626

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
136KB

MD5
b7099d3d4d774aaf88fce754e9f5bf9e

SHA1
6bfbf52f5c7bdd1a1b2f28774273a96aacbbabbc

SHA256
b0f8b0887d992d1d20a2d2d69ec6a6db24a36454f2e3b35b6ab74830102b96c5

SHA512
8deddda734ec540a64595bffee2951153bc1741dc20819c65f554075954dcfc2e929dec078dd4d9abfd31fcf5eafe86ae676d1723f295ff43a92673ce894fb36

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
136KB

MD5
e3f0dadbc19336bf930262bfc3161ee7

SHA1
c435e3f5af7454f859526de46edd01ba12578888

SHA256
c14d7380ceceea8f74ebffeb59ef858cffab2ed54fe9dc892527a73cf42134d5

SHA512
6ec6f5b0b5123e83bff4ff54dcb3d7d4797ecc56c75192067646a2187904be7bfb5456387bcd57089f18278ec63d8a6fc75ee4c38396a3609c23c807cf6d3e9d

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
136KB

MD5
7366c1a96f5352cd347dcf5dad9d6f0a

SHA1
22fd67ba0263aa81c79556ba267eb5e0712893cc

SHA256
2dce35bd4fadf18d543a142b04f699d3c6df58ce999a214a93b362a7a5e71d84

SHA512
9780f091dec8615f5d09d21fb58ceb7346ca20879e1be7f0c492fd80d47f61d264ed96c19e086ee91b23902e04f42b4a95a0ff199906141e5962c8af67b74d07

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
136KB

MD5
e9cfcf13a6ffc5218ad5e3bd3313d6a2

SHA1
e14aa4567be64ee18d9358d5327459db7ed09c59

SHA256
3a2a8d4a39a81bb7b01576c466f5726d7353708e54e0876c782fbd7aa522e831

SHA512
0d5b11006ff1d0b5c8f9bcb981f87e7f1c109e1549572c82826f1c18962ac63734687e2e75c674db042678282b3d72bfa3b2ea387b4f1c6075816002712e5ac2

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
136KB

MD5
29f1edb81ced1d130334b3d042772167

SHA1
e9a85d0731fa063b69bb23a1111b533b8c059219

SHA256
497487f401272f4ac36302eb4a441634a2d3c046a2a096eba17cc4dea08d92ca

SHA512
77847dc32c488ddd412adc75b6ab34392d9472d5a6449faf43806c829d557d60707918b585865083cc87e79dd5b2d8f9a1f31774b323663b115f0fc3c5a370ad

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
136KB

MD5
44b8e188f4f1dfacd7a9342961c810bb

SHA1
395e0e7e28a1a4d4b6ddca276dadc1681f6e9746

SHA256
7d241cf5eeae0b69a7c73aec9949255c04e131b1642170b9dc5a0d046c350a18

SHA512
cb5be4f36db03fd05c343d65d3aacf6dcc2f2a2813e3900cf02bd0e6b40767e2af12cee302423b5bfcf089d9c12cb62fe5d3008ba0598b10594371c81e6808bc

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
136KB

MD5
2408456131029549d39a9eefb02f1a73

SHA1
be7c8d66357b27b4c7ceb35e6035cb0c2b15aa20

SHA256
10fa46fa2062dc5a96f8e55ede222d445e6670937efac5c5f6c3fd0345a0f253

SHA512
47e3cc88bff8965f45eb7fe2bb233fb9906eaa2f51ce422a8adb9a8349afefb3731cb7ac1e4ec01856197d1ac54e132d8072edf7df214a3559c9eedb37ee15db

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
136KB

MD5
16a2e02a51888190a380dbc0d557836b

SHA1
57706ffe75328552522b8804e226e09b2e67d8e5

SHA256
eb8ebf326261ccef6d4ca8f854961ce40c4d4b5644917ccd440784c172a076fb

SHA512
b3a35e019935d6e31a1fe0ce37955a5b085572a66fcc665218e9abfffc7e880daace90757a4b6e196e008cde093372662a5cec91c784b4b32137c04eb49f4586

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
136KB

MD5
870c7bca473c71ce861c1a71d8e9aa89

SHA1
e541ff6c123d4a20ce137a6c914a0faed62934df

SHA256
da902035fc610b56dbf9deb315c8d6b3bbd7b85fd55dd5cf5306a57607cbea0e

SHA512
6e448cb9bd82ade216a34248943de9c5ea34a6495e7d683f2eaa15cdb71902d64292963686bea264d20be00af8f557d11b839ad346d5622fc5de6428b522f1d7

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
136KB

MD5
a4bb7bf82098856e3c860f778d1d43ff

SHA1
b503672cf764805b20a5db98e7f6c187edf31b46

SHA256
9105d98516b125430f60a3f6f0d4343fcc1ffc3982ead918cef770eac72cc446

SHA512
4d450b533cc1498f0eafe90565ce8f2b4128ad8a68d1041bd31aaf150f3fbefc60452ba9092f35434dbe3cc6c9f0e787bd6cf7564acd7b5629f6c8db45f249d5

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
136KB

MD5
d26130970abf0b6bf991c017a4de7db8

SHA1
90767b358b3fe8ba0144a46b9528659e3a7e391e

SHA256
e20f36149795beaacc63aa33a72806caa1298397db2622d69202a7a5529707bf

SHA512
127b3a8597b3dc92ef4e8fe4f9f76d3ba733c049e208ee0e2453c34b59bdaa5d4890effc2995df554700e95f62a96977a9a343b2527de0999dfbb8666aa089da

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
136KB

MD5
5953f10fbbdad7e1f6dbd00e4fe90244

SHA1
0a6991a5aa54397469195c398e694a9f5c0849ed

SHA256
c74212e1aa0dd9303d1362009b2a1acbb9bf5bf7522ed7a66203d1143faeeb53

SHA512
92f22085ae6e2abec3413a45f5c9d74e81e955d03067bca5d27ea7ddf4787e0d19ec8f77a031259a77cbd2fda6f1e6bc896a3252cef4b9c6a79f0cdee2de22fc

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
136KB

MD5
d1adbc2c7f1d3bfda7b6af340204aa28

SHA1
046a430089043c6750b8bf752dd4da442ea78282

SHA256
5af8bf2a2ca0e25c72ec6dc260cea944027d150e0c50f5152c1d17abb63d4c80

SHA512
1425506b2542fc1c34081347547516510742bfc7b5b14d27c4e0731b4627006088b84dba2322bf151df8adad49fe33c09a6764f7054d36e70a59d0e9359cd7ff

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
136KB

MD5
cbcfe5cf0e28422164421b14944a6cfe

SHA1
e68b35cdeb0e4878ae12c6fed6259d545506686d

SHA256
9c255c683c790232135d20a2592f61196f30f84f39cfab74f32d924e2a359f2c

SHA512
2fcbb0268a7fde22a8d29d046da86dc6784b66a21d8283526ef164ecd3689c4b5f68d8e7361a8e1d44c7c16beaeb520da4982ca109f5312dee287f24737e1a59

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
136KB

MD5
719f122c5dd3b60b88f97839e245780a

SHA1
595fa607b6503ce7c89a5b994ab06dc4ca97fde0

SHA256
9711110e40e45da07bc69069f0bf988d586dd148fb81b40bf3931d762c908103

SHA512
56e26f81fec056141a968f574dce9b012713c8ad315421d4bb84c2504165f0f39e7189e4f941a1439de4809fe793ad788101d81d65f55c16d5a2a508508f7382

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
136KB

MD5
d10e9ec50434636502dab187e14b10dd

SHA1
dbf79a821f7a596370d10dd3bde9da0af9a903e9

SHA256
bb73b52fc4393f6c6d1af903a2c06c2b70a133fa41fcb49f612eefdff2b95d9f

SHA512
faa59e1ec4efd2642f8994d2010a7c675e0b5906b313c18eca47ea279f372299e33f6499690144c2fbae6bad38fbcaea9dbe934e937d7f7ecf43391059655d90

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
136KB

MD5
4a8211131563ffed166664ed4e9d5a7e

SHA1
4d54d1ae1d33fad5143097a334eda158b58b5bd3

SHA256
941f24a26e75da7ae98c87c2d4cd833279838fd260022b0b8043bbafcb9a65f8

SHA512
48302121293a4e85eeb9ddeb51c9ecaa849cb7ec40dad8d6dc65a1cdc49452efa34c48a890652e0be11fd34ded983df524f170f87cbb2dd3f7bdefecaf29a5df

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
136KB

MD5
746ab5626214c0fc5d7c4b8a4af8b0ed

SHA1
7a48a78431bb745a5d09e8940216dad6435b8425

SHA256
00701d913260be3df26235ce8469d7215b65787e5214aa0d20c8959af71ef168

SHA512
3cffdbfdcfde6bf3e542602e8709e41de45125a78e76e5c196f632739231abf03bfb6c59d1dbad701d42a7998c7067b284b6691252675ef1f2d163802620a0cc

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
136KB

MD5
b9c8f808065481251236f4f2df09a666

SHA1
b94fb185a31226b09a3b710d24841186635922f1

SHA256
22e8b2bf94ad095670bcd1362adf23c5486253a7677cc4651235358e3ab3903e

SHA512
7a5501d8690e166b81cf3cadb45fb0f3f7663e5e4be65e01722c4fd906fa13a0f1851dcc9b5d48232471ad2f10dd5a10363b2f994d88e8f77c945998fc50c2e9

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
136KB

MD5
3c95702d762e359bb6cf1b672211c64d

SHA1
3b539a7fb3d7434a553643c515c3a5adfba2f897

SHA256
baa277ea70f8d85a7d325e9d7424887f5a5d3509606ee5e3ec008a39b1fae93e

SHA512
3a1e30e468c46496f3dc3f63a25acb294a2c43eb9a8792e6decf024cefc77900eea818c1a4ca24673ba7529fc1ebca81b506c75a22a43f575610fe1c40de0fcd

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
136KB

MD5
c569ab95530c4035a73b34171cbd18a0

SHA1
1bbe72f450e26ef6af3082ad0e004f4c54921ebd

SHA256
7d195dae02e86491fa15443069f997157b10546e25a326743fbedae804304af0

SHA512
64c4452df7ae25cd9c1920386c5a7fcbec30a8420c8472e12d3fdaa9e95bb2bc097e2e5f7d03dc62fcf9b94b23ea127492ff78187a8d6ec2dd93c8e44c7ed9ad

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
136KB

MD5
7ec9051f9c83490668d4eccbd8bf4fae

SHA1
476330b5bfa278265877d58a2dfbaa84614d743a

SHA256
d518d928cfc8ed3e0964deabc030b4fa86ffa8043706f607e0ee095431cbc8d0

SHA512
e916a148a38f679fff3e292560c82e3ed1830bf8e0e74959a0cb161f956b93c1f9f1693ccd51fef13eab9851cf9ded3c1f020e9c0d9d62814c67d2f7a1e76272

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
136KB

MD5
f273f09500f29c2aeaab89d5a1ecf3a1

SHA1
2eedb70f91f75b836d45932825d9ded064bcc96c

SHA256
3a628efbc466a7af3666bc954f213b762e52390e6f16bb318158134f28a1f770

SHA512
fea58f0dcd94e7b61270c87a650e19dd379098b9f5407b55369902cb78ad62a5b083ea4e9a91e237ba0e0fac0864c0debe717800ac93065c3030bd293603622f

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
136KB

MD5
09fcb4022d1b9d1276d8a947a61a6624

SHA1
33589faa3e2cfce4c14f8e9ec484c5e53df8f2ad

SHA256
83d5c6e9de3a0ac3ded029263d9642b1371abce8b66bf283230d9b4ba0ebb30a

SHA512
80383afb42cc17460ab53d024a108c7e021acb09dc157175ff4beed762b64b9cae97e36361f6c30c13e33e57ff6c7d9df13efec5a4af5a41e78cd0d32214872a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
136KB

MD5
67a52985948ae4b1b255b7f7f5d3e9d6

SHA1
ebb67f8113c1562b08e59a32b6d71988c58fa346

SHA256
4c14129a145b6c20ac4305db29800b6f611ea58274c00380f80f47cc577d5cfa

SHA512
85f2c20542a6c7bf7719978c4d758d338499c8e5b7a71dc3598d62fa5494c44c24c32d77aeaea8269e2e8694a0a6ae33cb0f0697df26157c48639fd6cf2242e7

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
136KB

MD5
a03ad40e4610657a2cdcdf70145ed5d5

SHA1
b22189fcb007b8b525a8998a2dc1e21a7be37510

SHA256
a9df5b52369f55be2d07940beae5240939f94e51ce03f3bab61cfd50861592f1

SHA512
a63ad58d7f5d8fc8e0495495679d052a0778c44fd661d4116e9567e119a08890d6c6d10f5fc230ffe63ee7c60bc15bc0ded2f88cb615cb3d307106b060bce1f3

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
136KB

MD5
89a245aa34717d8d3542fe34989571a1

SHA1
7fe8fb32598cad8bdd19496ba8305b6e392d0715

SHA256
648a8656ce78cb23e78745a879f5bf583545391b3e16f6b9c544036e6ba7a6e5

SHA512
47184607d93a18318809ab7de9f101a69ce2de53f3fe06d457baecb9b3549dab342b688137d81e917f92a1d42b590e046e6fb81f43eb17f30877033f78ecba15

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
136KB

MD5
22bd1f9dc10e901e01f8642d0b6528d8

SHA1
1b8280c4fc0b3f8a1d6aab1870908d709e396b4c

SHA256
eb6cefa72ca8ed3f3e3c16008b1b4573b3ffcd81bfbdd2fce4cf42b3c509e7e6

SHA512
e178fb9551497b3fdebcf77a9cb04c419b77149a1423bc03627b639992cb540c60b5159486bd2ce3c8244d505c0d943fc8b3402fe7e3c9eb012f046087452eb5

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
136KB

MD5
536bfa7e5a06fba0802c4918f654b224

SHA1
78a57c9df0724dc1d1a140063411f0c4bbd0c579

SHA256
185e41753b8bbc8641b384e7d3fe2c97d361d5c0af05f37c04ed2b61668794df

SHA512
79b2576a46ba317b99cc63485945bb07348bc2b63c9719c92eafef0755e051204234b98be92d4002e337201d9157a9fff67ba8d92b5c8c4359bc85f5264cc923

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
136KB

MD5
58b3f5bdb41c94301c17306c48bd1a59

SHA1
48c3b432df3b48bea5c86b9dba915c2ef1407878

SHA256
aff1fb323e80ad1785c9b85bcba6bb1bba3bca793191e8c2dabdac50ba850faa

SHA512
01877bc7995d69c56c81230039913905693f06476aebc25ef8dbd1dd2930412fa8fa80f03a66419f8f9ac52ece9d8e318a16d9cb2b351327781a8edb7196dc73

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
136KB

MD5
6c1eeff2dc686100cfa634633ff56ee1

SHA1
016c1c2e168041acc34aaedab879b8cc87e08b51

SHA256
b4974272d28b8033af956867673480463fde884a2b55810a58a55427cc76cc79

SHA512
7e3788dcc34c74adc85c333fae89b91cdfc9d0b7960531b72986701b4d42bae8fabb938c06acabe05e1b5ce475abdae8f016c196d7305abefd0c27318713e473

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
136KB

MD5
462c1d39ecdb40be9ba0b6fc4d84372b

SHA1
fd00c9a39f489d62ba0223e06924ab99fa4b0600

SHA256
c58dd8b5a2db88a39764a6e489f35e6edaf6e9c53bdb702926f679ef5d90eacf

SHA512
7b9ba2bb8e45dd2c4a2505494830b244d476e62d5940e5bd9c6c9055792e3d9fa0b60c264c11d46072cf51167a837a544d3ac0cad4bca3d9628b448efea46b2d

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
136KB

MD5
58251c96618d120d2523e68cf1d0cd06

SHA1
5ef4299185ec085572c59208a0227f9ec854a684

SHA256
db06cf1c7f2574859bca8196e8f72878dc262b9266bba86665eee639740d3e91

SHA512
54d0f1a439807c4b2cb9b678ef61f936cf9dcb36496208a7d98a9c6c84603d915b46c463569c258e84397625d4b710934a2a6488868aca74e1855e5f3d3de497

Download Submit
memory/64-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/508-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/904-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1564-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads