b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85fe

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe
Size

95KB
MD5

33898357a763454764ebcda034f8fef0
SHA1

1c3179d17642235389c63c7094e6b8d4bde0f9ce
SHA256

b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85fe
SHA512

ec5f28a3a81c0dd89cd50b43dede0b7bb4794197c959b07f6ec7d34dfcf62dc80cf0edce1dcaddab8698bf96752bcc8d6e2e55ede9acc8617ef151b51985e041
SSDEEP

1536:XPrf3eD+C8UXlEehOGRRGwPzGWrNSitc0v8OM6bOLXi8PmCofGV:yNXLOG3zGWrNSOc0EDrLXfzoeV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbpnjdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqifo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggjjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilhkigcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkpjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe

Executes dropped EXE 64 IoCs

pid	Process
5016	Fgqgfl32.exe
4216	Fjocbhbo.exe
1396	Gcghkm32.exe
1348	Gbhhieao.exe
2216	Gdgdeppb.exe
5112	Ggepalof.exe
4360	Gqnejaff.exe
4428	Gkcigjel.exe
2380	Gnaecedp.exe
760	Gdknpp32.exe
624	Ggjjlk32.exe
4896	Gbpnjdkg.exe
2364	Gglfbkin.exe
5108	Gbbkocid.exe
1672	Hccggl32.exe
1136	Hjmodffo.exe
1388	Hgapmj32.exe
4528	Haidfpki.exe
3748	Hgcmbj32.exe
4288	Ilfodgeg.exe
1712	Ibpgqa32.exe
5052	Icachjbb.exe
3660	Ilhkigcd.exe
4220	Ieqpbm32.exe
4952	Iccpniqp.exe
4460	Iagqgn32.exe
2424	Ihaidhgf.exe
4312	Ijpepcfj.exe
4716	Ieeimlep.exe
4752	Ijbbfc32.exe
2984	Jhfbog32.exe
4348	Jblflp32.exe
1744	Jhhodg32.exe
1068	Jnbgaa32.exe
3988	Jhkljfok.exe
2944	Jbppgona.exe
3080	Jhoeef32.exe
1172	Koimbpbc.exe
1460	Klmnkdal.exe
2264	Khdoqefq.exe
3640	Kbjbnnfg.exe
4272	Kkegbpca.exe
3984	Kopcbo32.exe
812	Kaopoj32.exe
5048	Kemhei32.exe
1444	Lkiamp32.exe
4264	Leoejh32.exe
1968	Lklnconj.exe
4556	Lddble32.exe
596	Lbebilli.exe
4544	Lhbkac32.exe
1740	Lbhool32.exe
3744	Llpchaqg.exe
3360	Lkcccn32.exe
396	Ldkhlcnb.exe
1820	Mclhjkfa.exe
3952	Mdnebc32.exe
4764	Mociol32.exe
3504	Mdpagc32.exe
3740	Mlgjhp32.exe
2072	Mdbnmbhj.exe
4972	Mhnjna32.exe
3472	Mddkbbfg.exe
1868	Mojopk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Cadpqeqg.dll	Icachjbb.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Nbdkhe32.exe	Nkjckkcg.exe
File created	C:\Windows\SysWOW64\Ohcmpn32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Bldgoeog.exe	Bejobk32.exe
File created	C:\Windows\SysWOW64\Haaggn32.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Jgedpmpf.dll	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Ilfodgeg.exe	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Mclhjkfa.exe
File opened for modification	C:\Windows\SysWOW64\Cefoni32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Clgmkbna.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Llpchaqg.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Pkholi32.exe
File created	C:\Windows\SysWOW64\Dfaadk32.dll	Ijpepcfj.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Gdknpp32.exe	Gnaecedp.exe
File opened for modification	C:\Windows\SysWOW64\Hccggl32.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Mociol32.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Neiiibnn.dll	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Lcgagm32.dll	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lddble32.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Piaiqlak.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Cefoni32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Mclhjkfa.exe	Ldkhlcnb.exe
File opened for modification	C:\Windows\SysWOW64\Albkieqj.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Pimdleea.dll	Bldgoeog.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Leoejh32.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Kcgmiidl.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Cidgdg32.exe	Cbjogmlf.exe
File created	C:\Windows\SysWOW64\Dllffa32.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Dbfoclai.exe	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Lddble32.exe	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Mociol32.exe	Mdnebc32.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Afqifo32.exe
File created	C:\Windows\SysWOW64\Kmpaoopf.dll	Ilfodgeg.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Ichnpf32.dll	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Mhnjna32.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Obpkcc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6924	6836	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoegm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbpnjdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglfbkin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbeqaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdknpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haidfpki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhgbgki.dll"	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll"	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjdhm32.dll"	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggjjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfoegm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jblflp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkafdjmc.dll"	Afceko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmodffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhkb32.dll"	Alkeifga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 5016	1328	b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe	89
PID 1328 wrote to memory of 5016	1328	b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe	89
PID 1328 wrote to memory of 5016	1328	b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe	89
PID 5016 wrote to memory of 4216	5016	Fgqgfl32.exe	90
PID 5016 wrote to memory of 4216	5016	Fgqgfl32.exe	90
PID 5016 wrote to memory of 4216	5016	Fgqgfl32.exe	90
PID 4216 wrote to memory of 1396	4216	Fjocbhbo.exe	91
PID 4216 wrote to memory of 1396	4216	Fjocbhbo.exe	91
PID 4216 wrote to memory of 1396	4216	Fjocbhbo.exe	91
PID 1396 wrote to memory of 1348	1396	Gcghkm32.exe	92
PID 1396 wrote to memory of 1348	1396	Gcghkm32.exe	92
PID 1396 wrote to memory of 1348	1396	Gcghkm32.exe	92
PID 1348 wrote to memory of 2216	1348	Gbhhieao.exe	93
PID 1348 wrote to memory of 2216	1348	Gbhhieao.exe	93
PID 1348 wrote to memory of 2216	1348	Gbhhieao.exe	93
PID 2216 wrote to memory of 5112	2216	Gdgdeppb.exe	94
PID 2216 wrote to memory of 5112	2216	Gdgdeppb.exe	94
PID 2216 wrote to memory of 5112	2216	Gdgdeppb.exe	94
PID 5112 wrote to memory of 4360	5112	Ggepalof.exe	95
PID 5112 wrote to memory of 4360	5112	Ggepalof.exe	95
PID 5112 wrote to memory of 4360	5112	Ggepalof.exe	95
PID 4360 wrote to memory of 4428	4360	Gqnejaff.exe	96
PID 4360 wrote to memory of 4428	4360	Gqnejaff.exe	96
PID 4360 wrote to memory of 4428	4360	Gqnejaff.exe	96
PID 4428 wrote to memory of 2380	4428	Gkcigjel.exe	97
PID 4428 wrote to memory of 2380	4428	Gkcigjel.exe	97
PID 4428 wrote to memory of 2380	4428	Gkcigjel.exe	97
PID 2380 wrote to memory of 760	2380	Gnaecedp.exe	98
PID 2380 wrote to memory of 760	2380	Gnaecedp.exe	98
PID 2380 wrote to memory of 760	2380	Gnaecedp.exe	98
PID 760 wrote to memory of 624	760	Gdknpp32.exe	99
PID 760 wrote to memory of 624	760	Gdknpp32.exe	99
PID 760 wrote to memory of 624	760	Gdknpp32.exe	99
PID 624 wrote to memory of 4896	624	Ggjjlk32.exe	100
PID 624 wrote to memory of 4896	624	Ggjjlk32.exe	100
PID 624 wrote to memory of 4896	624	Ggjjlk32.exe	100
PID 4896 wrote to memory of 2364	4896	Gbpnjdkg.exe	101
PID 4896 wrote to memory of 2364	4896	Gbpnjdkg.exe	101
PID 4896 wrote to memory of 2364	4896	Gbpnjdkg.exe	101
PID 2364 wrote to memory of 5108	2364	Gglfbkin.exe	102
PID 2364 wrote to memory of 5108	2364	Gglfbkin.exe	102
PID 2364 wrote to memory of 5108	2364	Gglfbkin.exe	102
PID 5108 wrote to memory of 1672	5108	Gbbkocid.exe	103
PID 5108 wrote to memory of 1672	5108	Gbbkocid.exe	103
PID 5108 wrote to memory of 1672	5108	Gbbkocid.exe	103
PID 1672 wrote to memory of 1136	1672	Hccggl32.exe	104
PID 1672 wrote to memory of 1136	1672	Hccggl32.exe	104
PID 1672 wrote to memory of 1136	1672	Hccggl32.exe	104
PID 1136 wrote to memory of 1388	1136	Hjmodffo.exe	105
PID 1136 wrote to memory of 1388	1136	Hjmodffo.exe	105
PID 1136 wrote to memory of 1388	1136	Hjmodffo.exe	105
PID 1388 wrote to memory of 4528	1388	Hgapmj32.exe	106
PID 1388 wrote to memory of 4528	1388	Hgapmj32.exe	106
PID 1388 wrote to memory of 4528	1388	Hgapmj32.exe	106
PID 4528 wrote to memory of 3748	4528	Haidfpki.exe	107
PID 4528 wrote to memory of 3748	4528	Haidfpki.exe	107
PID 4528 wrote to memory of 3748	4528	Haidfpki.exe	107
PID 3748 wrote to memory of 4288	3748	Hgcmbj32.exe	108
PID 3748 wrote to memory of 4288	3748	Hgcmbj32.exe	108
PID 3748 wrote to memory of 4288	3748	Hgcmbj32.exe	108
PID 4288 wrote to memory of 1712	4288	Ilfodgeg.exe	109
PID 4288 wrote to memory of 1712	4288	Ilfodgeg.exe	109
PID 4288 wrote to memory of 1712	4288	Ilfodgeg.exe	109
PID 1712 wrote to memory of 5052	1712	Ibpgqa32.exe	110

C:\Users\Admin\AppData\Local\Temp\b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe
"C:\Users\Admin\AppData\Local\Temp\b155dc250dab73812214b6338b09dc51657bec8c89f27d54eb4485ca766c85feN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\Fgqgfl32.exe
  C:\Windows\system32\Fgqgfl32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Fjocbhbo.exe
    C:\Windows\system32\Fjocbhbo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\Gcghkm32.exe
      C:\Windows\system32\Gcghkm32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        45⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        64⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        68⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        70⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        73⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3912
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        77⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        79⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        88⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        92⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        98⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        104⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        106⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        112⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        114⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        117⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        120⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        124⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        125⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        126⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        127⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        128⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        129⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        134⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        143⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        149⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        151⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        153⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 220
        154⤵
        Program crash
        
        PID:6924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6836 -ip 6836
1⤵
PID:6900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
95KB

MD5
f6e18d5cba33041c30e69adc3f9bd2bf

SHA1
6155e3a7666cacb7fa97d47fde6abe18859ad20a

SHA256
bb804051bbde7856bd0efdbbc0122aac3bc73e3b6be2bd34f3aaf245954d6207

SHA512
796391e742e1d198c73582d23d3abd433874baa7f93bd8896aa7a221899ad1494da2f1735a2c1f531ad7bb79ee90deea158a857a88346f810774b177ae440167

Download Submit
C:\Windows\SysWOW64\Aimhmkgn.exe

Filesize
95KB

MD5
8f0a551e0b6fd3703c4883f93a102169

SHA1
c26db223b8347a1a673ff82536fd4536b8b3a9b1

SHA256
ba94fb2c9efa56cedddee56054f33ef8328d27d567f51cda124b8a01b5bd2f90

SHA512
6626878f9d021c582300cd0fcd0da2bbfaa34cb91cb1dac0e0b97158516ccdc41a1fb6d4f2f62fe481e8b59a120d7741b4cd98865abbab8426ec7221122a0959

Download Submit
C:\Windows\SysWOW64\Bbjlpn32.dll

Filesize
7KB

MD5
8f5c0c5dc983f9832299a07695011446

SHA1
391144587442d2b769cee1b75cdac77a21eed3f6

SHA256
a9df2bd228f41000d2874b271dbc157c4cb68afd88366c0005bda67eead948cd

SHA512
9b0d3f3513ab6f4a7458ce5937307f8fe909912b72ff69fd871611aae3c3c1d399e9c70e12479ddc03db58003295d7aca13ee1ff5d9393feb8a7f5150e9a7761

Download Submit
C:\Windows\SysWOW64\Bcbeqaia.exe

Filesize
95KB

MD5
b3b3ddc154ed5e79693bc1af685032e1

SHA1
9889581a9830f76b3151f091bfadb4c5315028a4

SHA256
c9de4289737090b27beeb47a363215c72a129af327583d7e81a6d4005f520a98

SHA512
58f0379530393c18a4bff18b07df636b87379e4a800824845d2f37eb7f6c7271d1992d5e1c1f4952448a9c2fb66cf5e187b311b20ac9df46d83751f2a7444349

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

Filesize
95KB

MD5
f99a8dc8f5bca5115ed726ff8d92dcb1

SHA1
2a1e8af096b03074824ddffa0520952c0e6772fa

SHA256
df185185c798d5ab7a7130fa80054781d08caeca46d8e034d18af32c70d1a670

SHA512
e1909705b2c2c312b96cffd357137bbfb96e8b1c1991d760e9ea3a5d9ea7de60952c24a9e27aaf81df786ad4383e91ba52b88797faebf877cce2ca7105391fd2

Download Submit
C:\Windows\SysWOW64\Bliajd32.exe

Filesize
95KB

MD5
468ee72ce74c68f95a2b2ce615d14b40

SHA1
8499143cd381dacf6377644d6ff016174fe7f54f

SHA256
586554b2a59b89dbf28f57b4a95ef1617b73e95008eeb4cf1289e1c06bb5ceeb

SHA512
cbb1068b1c835429931f318e6729207c391a916f62e6a30d047556626eeda023ed06f133473fc0ede47927901eea249da222c84c75340dd16567a613da4e2745

Download Submit
C:\Windows\SysWOW64\Cbjogmlf.exe

Filesize
95KB

MD5
1bcc7ec4f13dfa93e3641a11d38ef3d2

SHA1
e625d5fb1495666375eec913ad225f284688f76d

SHA256
8c31b33ae9ec5e670f3f8f07bf9aa22b895b15bd6f410365e68fe3bde68d59cd

SHA512
136b74d5711c77093f8baaa418b127a1500904f9dcdf8d28c2415de35f44ae821d6e912b5ccd8797fd44f0acbe03cf6b6bca989f5046c2564f9af6e6f2ed3764

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
95KB

MD5
75841a5f69869cdef6a2a10fa139ce35

SHA1
fbdc9a2e20d2c2c86590f3c5c20bbde436a9f4c3

SHA256
62114e5ba6be0c1a4dd1af9c0427f950e214cbb731d0b449857f5bb353bdc6fe

SHA512
5a940afe25f546f4b615c6a170115c74b7ae657e3a9791521c3c9f8b6d28e4d3713a7f855f6936cab3c0f60407cc20ac9a69dc64bc78228595649c0d75260a46

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
95KB

MD5
7ef2d73981510f8811c0ca15fe465bf9

SHA1
220994f21c541198b3b43515bac890bc44375cb6

SHA256
76fe016ae83b714ba9f239d86f9128c137bda5b2b8629a77ecabacba5e2aaaa4

SHA512
7a65c3a259435c6630db129c054e2c73b37905dcf91544ccdf2723b5164ff3036cabf895f534f80c269550bf877ad3f5b2d1599fb7234cb30924a152aaa88c44

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
95KB

MD5
b61c5f9b9a348523f8fce42797268a42

SHA1
dabfaaca6bcc6539b67f6a07798d1340ef3170e1

SHA256
be31fd8487e247f3149541d22c68883ad685a0f781c5930eba15c9be39209333

SHA512
222f28ee0654d7986916babe634ffd23204ccfe1607371afcde50cde643544d5afd204cdd052228d586bfc0caa6d73ed552e2584bfa77f96ad675afe917457c7

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
95KB

MD5
4662f55e7a8e40355d72eb65cb5ccefe

SHA1
0c87012a659be8bce6fa3984d9fb9dc11a6a3792

SHA256
5ee05383819484d6813db34383eeeb701c9db38ecc64948719feb5d2d63e12f8

SHA512
1b90b0e6385e468256cf4c57e5246e1a9f6f04fbd4912cb58215c4b138391ac226faac175001ef8e1201ca848bd8c0f3b0827b0d24c521a631fe3b7fa4ab3f25

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
95KB

MD5
0d7d1052c77c2e5e23a6ef378903f536

SHA1
010ba55e74563c05e5be448204d587628eec4711

SHA256
70f174f04630a62045221f5803ebd85cc249a6b57c4310862628ccf76559b82f

SHA512
924282894c4fc99e129ad2e8957eaf2e24d5be64f1b17dd77fa19701be4dd747f64bf650e9d0f99808951e854582596f3432457aa2b0fa6ceef40f6dae4aec07

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
95KB

MD5
58018cf6c4a32c9b106b617575f3e360

SHA1
4fc5de215e7853c9a6dd54efa1903ffba878a8c3

SHA256
13c78ad3d17c673b3581d58a5076de812ce906fd911c7acb9707167f13c4d483

SHA512
27ab30cb78935cd59a5ce8facc3e3043f4b3733b6a267eed44940c31ec1f97b699b79c7df5cbcf86e8772b00194a05e07bdfb237de247445b38e5c1336719d05

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
95KB

MD5
a92e8924708274c57dc0a6738aa7af51

SHA1
ca0920bb8ffdd76a650e7ccf91aea452c8fd784a

SHA256
4a8236fb128f948da42855407e5fcc776b65c4a1cb4170eeb2f4a2330765fb50

SHA512
4d2b8595caa815430e6cad454f86870c2458b8ef983e447dc32ea304b482f95bef02b48afcf9f694566c780191d1f4d77c855b75aabe7d88c2e0cae0f3c38b3c

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
95KB

MD5
71f04bdf5f4378110e9f3ad4c592b3bf

SHA1
e58ca8c8e7d5328b80f35f252413f603cc1d0d4b

SHA256
0cb75df1f77fd62243ef73e3c8976556a4c430321461ab03b1d2b27137c3ad5f

SHA512
e87d7bfb4bbf671ee9a66993dff0bd7d9af51c3447f5e2963a36d000a819d6627f1fdeb13118bf0fb968ff6605afb69433a1ef762c8e2deb92f29775d5cd71a5

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
95KB

MD5
f75e367c19e0e554c822c270406ce0e5

SHA1
958adcac78108e40680e9adea4b62e912797c3aa

SHA256
4b404af50e73d45781fb0554a28ba14dc1679b9880cea0693ec86625c3b52db9

SHA512
fa21e93af5bb1cc62891b87dd4596f703e6f22adf2c330edb2f9861996debe31a9b6bec5a3c6833d06be6b8f7e2018c31f7b64e3d05bbae915e8c9e5143dff6c

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
95KB

MD5
9c8665e3f59fe0ba8a20f24d1c983457

SHA1
99069f55c8c66af7ba8946928553f8e5f761c3bf

SHA256
d0de507ae1dc3aa6b3e3c4683d857dbf4e8f20a8884600833117dc06618d9fe4

SHA512
e554ef45a35e57ecb406bcd684912206d5aebe1a9ca3942e8198d1569e3a3b829f30e9c023282b689085c383d3cb5eb10e0237575da67b97b9ea050ee1aa768f

Download Submit
C:\Windows\SysWOW64\Gdknpp32.exe

Filesize
95KB

MD5
bf8968373d022c3cb3c75dbc149f2867

SHA1
ad94eee9fe7f0de3e2e9d21aa6f58e19d623cecf

SHA256
307feaa1e8e808a32f6aaff4826c85d9208bb38802cc271d3689fe4e01dfa4df

SHA512
c85785dc9b58000458680fbbd7f9ec9a7aa10545af0fb1f05ba2faca53f45b69a9e643f375f7b595c2443666162c7c24f06a260c3ee423c214ab965bb8c93361

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
95KB

MD5
a99faac91189a3b6055f73355d2d01d1

SHA1
73cca4d7be69f52bb7e02e0f1293fac7fa031bce

SHA256
d2282d2e7fd52927747aa1a3873a2dfe10503d158ce618cbb001caf60c2fc256

SHA512
1e234457f538148768675bf50a2d98306570eccb71cc4ed17bf8b484ced438b013127b826959162ea1e33b23470f5bb082256fb6c338aacfd847b40aa1a80e2f

Download Submit
C:\Windows\SysWOW64\Ggjjlk32.exe

Filesize
95KB

MD5
db8565f55940438446a238b35394c9c5

SHA1
bfb79e35998c1ed470cfcd5cb772933d68feb17e

SHA256
0b8e1c97fc89b3a99b90c9d8641eacd0b8072d35bbce36a80a2bd7444e89a8cf

SHA512
df4ac359f5a603150564af3f9aa341ee79decd1c0f942424565d90a12bc8f69400b9db4a47dfbe42efae77eb2e56fe92c2f51047532c597301484cd345e13885

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
95KB

MD5
107b0803f117faa400a8b47b78f25084

SHA1
335091e55d4feab60c558b6f037abdecdebb7494

SHA256
e081c98cbf5f7b647c0d73dd9f46273587073ba626e9f436a15d261aea5d82a9

SHA512
6a7d88db31febf7474003c156204f3de15f834e4c436dbd78b2bc42f5f1b9391d33b69446b4cada9c8a4bb09ea5914523caf3c8ac5a28c83500ac31fba5f13c3

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
95KB

MD5
d82ad43a49a392c313ee4f6ca35b358a

SHA1
e3880dbcc38cd7d59bef6ceb34e878eaf8679b9f

SHA256
da96420450d5a6f991f2b56005b37da4d03d61f54a8f9ea529f8164b6f7f50e8

SHA512
5f7567f4f999239e85afdc5403adc97dd539656985153ac93f47b66f323399bcaa5e01db2f07b387cb7f50ee35d12352b6c79064f8e7a47540b81528d4ebfaad

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
95KB

MD5
bf0eb4f279b5e8c121607af7b0b19ea6

SHA1
35a3f2bad07788ed51ea5789f0a76a6a2a77f3ab

SHA256
3e667202e7073b5e710e78940399b3929a613758b762d6ba10b2ae6c51d324ad

SHA512
853c2ce80efbe783d1bfe632ee46df6b138d8b079877ae2bbf67983bfc14e0245cfe63796b9838bdc4a2ded2cfcbd36455b21cba3ae5f153650f0269c7af5ac1

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
95KB

MD5
8644514478019134fc550626be34041f

SHA1
4e260d9f0b8d16ad7a1493530b85365c1d1da31a

SHA256
6ebbcdaaeafa59f6b77d06681a45c35034337bc7e77d3e55a0818da36be6b556

SHA512
7fd979d8a8e0a4e4590b34ac266c706457e02cc45592ac2cc79e7d740cea085ee595d27df16305d85c4b9e013b98a4cc03799463199dcb011487876d21139244

Download Submit
C:\Windows\SysWOW64\Haidfpki.exe

Filesize
95KB

MD5
25313dbc74bdc370bc71b11e675d2cf6

SHA1
17d850b035a83fe28bca46a360167aac31b74611

SHA256
071af91d1ec983fa3ee8d41addccbd51882785690d8f7a1f18b7695d9e118a44

SHA512
d79c893fc9821c91f8d820ef9f4805a3052355b2c21c0d378bd760c97116ced1a49bb38bbae3d00037c17e96ce455583ae3de67b12d49b52ff84d43d6ac6345e

Download Submit
C:\Windows\SysWOW64\Hccggl32.exe

Filesize
95KB

MD5
86c7db53ce57990352b3c8ae5dff1d5c

SHA1
f91c11449ab99a3c9f29337abd3d5365eb64a688

SHA256
f43039b526e00313b6b35cf1a6eb41c332f23b0126671f00cc5fc92591832852

SHA512
25d634b65b522c6b936c74589477811efd2783c84482afb965d4c7c48989f2bc823e9a40647d4c5458032aad15d9323443f5847084775975d0a4abc5cdad22c6

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
95KB

MD5
879a721f712a555d4f857373eebfaafe

SHA1
8bb3dec38d535d23a12b53c44906f349b8649caf

SHA256
5bdeae3ac2718c94c1955c9ffd2a3dbed03468080bab930eaae8f3fafe6a6cbf

SHA512
049a402cca71162f70b9dfed20ccea147eabd3d15e7f5f853f24aa034bbe2267001cc269dd07280d3cc976d9cf58a9fc8c19dd07ddf229e658af0bab325458e0

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
95KB

MD5
c10c6c06a2e493ec9ba240f310b89762

SHA1
83a200a6aaa3ee6c2363b1673a9b25949b31b462

SHA256
1bc9f5c1a9853b29070fb8f42e884134d3187e88ed5975c8e32af1f402381699

SHA512
2b9ac31ae402b1ae6d12bdf6dae4378127488343f8b8014232cc339c7766bf7ea6b609f355c1a15a786ee03b5669428651d762dec5ef5831edda266a21f2e443

Download Submit
C:\Windows\SysWOW64\Hjmodffo.exe

Filesize
95KB

MD5
efd3b738501fb3d917d3561fb90294d0

SHA1
dbed40baa4c1cd14f5bf9180f62e1336e425ed8d

SHA256
2e5499ffaca64b5b95141194bf49513d2db9c8196030c965f0b04288b6bd93c8

SHA512
1fecbe53daf222983dc338ae4f071163ac5d609cb6ed2d5c8614c353d77767bbd7545408070a01056cda2ad0e60ea07d456fff4786956271d5bd6a2c99173794

Download Submit
C:\Windows\SysWOW64\Hjmodffo.exe

Filesize
95KB

MD5
67040bfb0ea65fad4f6c4eefd39d8e4b

SHA1
f729238c62896d87989bd99a7ddc9810326c4840

SHA256
3670e5f4c0e902b8ec4487c81f040d214a3d0c5a00d772d02392325dfcedb42b

SHA512
424279ab6d86abb843bf9fb160a91ae35e6995bc82dcd6ea055f35135f48b827599e4caa526e7e90622cfc39f622c06f7862056a12d15dd8d1bdcc43ed4d551c

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
95KB

MD5
3f73a677a641e82e6a405e1ef50a4506

SHA1
183c2b54841eec0f07c0d0a927c3d4f4aefe491f

SHA256
22e2a1268b64223d56be8cd7cacc6115932f888082c63652e5bed822c3a79549

SHA512
372ddd57739fadfc60c3d1e623b65815b8b5d3cf2ccc196a551dd80785e2d61b6353b3d1ec54a244a3f7461cb55d2ec9aeb2c74fb5066aeede1b2fcb4f7cd0af

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
95KB

MD5
3f364017f46c156c9adbb11186ed74d5

SHA1
cb82fbb8624e12bd4bfaa12ddbf909fd867818d5

SHA256
400a065ce0bea4fe46ba408af20473a135c3f7371bffb01f04555ba3daa0490a

SHA512
f2f20ddc4bd836874e1f16e155a9d7ba09d45ebf429a25e328bd92c604c42470e72796a83d883c5b3ba98e77211483b0981fcbf56b4b78c5f256e3f348301944

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
95KB

MD5
4f22aadcc8066cb57a2cd7fc3818a788

SHA1
dccd0bfd8ac3b567a9bd8fc0b6a1936379d09f59

SHA256
4f020301d10f55037b4ca06f892fe4eb29ea86461d187e9842461ac5e7484efa

SHA512
c2189a1ec0b39eea32680180554e8cc45def5edad64145c1fedb56d486b3d0b48e46ec788ac7a13dfb54416d993f1a5ceb410545092765ab3b55c27b9d38dcf4

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
95KB

MD5
8a6558585d3c3ea1ccf80f79d34e201f

SHA1
4f143c6da4398de506b7137ee027014339bebe6a

SHA256
3eaf3e3075135f709d64486cfcc82c5a1b3d2708810ef7f86d1b271a2fd30e45

SHA512
e17c9adbb4cb7f587b049c77beb27039d722c6da0b14a2f17bd168150f01d7b33b07c141252f4937d34b98162ff8dda44dba148d587545f39f78bf61ecf4b014

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
95KB

MD5
c93c515a62e468994b215e521b72a6aa

SHA1
62050580f1b97e49f11e3f6d2c59d1f2a9674218

SHA256
ca7514e847d12790aeb0a93cb84de2e6454f56f49c7842567fa829399de99cc0

SHA512
d716f5d39ccd81f50333257d26aa69a0738bbd34031294c07e6f6f0861d9156a656585a384a6a0378a6ebb68db23eaf893450de6410061d73bebb512156d93f9

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
95KB

MD5
acd26060f3af2e940d513aae4697db4b

SHA1
c9dba1eb6ee3b0b42d7d905b547ddf934246581f

SHA256
0b3823a9ea8138282e7ee81d2e47f1f946cfb10e2cf1c70908f10730d0cb9a5d

SHA512
236357663845fbd0fc7eedf839cc115b594ab1177f7d3ef0f0159d096a44051f70fd4009087003bcf36ada3b2688420aa727a84f25e795248178722acc1bc7d7

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
95KB

MD5
4a05fb897772f8ff68b5737b88fff87f

SHA1
a1c82684661dc5402c9a015e54c1790aed2b8046

SHA256
85e19144669dbd5cfa685da7c4736361aab91e69dc913c4ed9c150666d3b87dd

SHA512
a2b9d6e14fdccc7546b8982e7ec106acc43d80fc770e01da1656bbabd47865e75205894b5cb0e900af65ef95d5a4e3ace98a29101edd61a03b4dd5490bcb0cfd

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
95KB

MD5
bc1c4e43199b9a1160a87c8eaf43efe9

SHA1
42a9dcc74402b39ec82363aa3322d11f5aa8b360

SHA256
5807072ad2de0e89528eb53a0c47f7b3d2269201d1af7b7e79c90b8c5a3da80a

SHA512
ac3a038d8cedaffe27651555e3c9d3a7176992fd70bc0af7b992d4e0ffb70a78ce91dade6dd06ab6a53493b2e82b5c63b62b17294140da6feacec47b2a1b57ae

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
95KB

MD5
f387dd3aad1a37bf953eab8e9b0910b6

SHA1
6fb6938dac3c63808b3b5257100a30bf6b8714f3

SHA256
2d9afc546d8cce6a22eca28d4fc79ca796dfb7080d3a41560467c4f6d3d12c00

SHA512
9b83e582662680bcd21c22abd7f2809bc9d8d34f51e580aab08df1b4724e91a24eeca98c9af789df153db377fe9b157aceb23a9605b10d0112f7bf87ba2e40b8

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
95KB

MD5
c12a8929394f9436ff66e504cebfcb01

SHA1
b7e5b4f760239e36a3700271f1d5006120640e38

SHA256
b14ccf5d4918b95e56a5b52b604c0898e7d6dedb60d9272c362c30d68876c47e

SHA512
81a47f018e1e07cc5e0f701b1a2077f9dc8425bf4d6f6bd2887afe4d9fd1f6d494c298a59c9f236f5337def61b7e652325bf5b176ac4a8922be2491890491b2f

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
95KB

MD5
5f10d1100036226b64dfb05507ad13f5

SHA1
2575f60889e217678b2e9b3110f3e2ecf453d7db

SHA256
1b327825ca455790abc2bd42d81c429b601fc2b47c89170e78e5608e79fda47a

SHA512
76ceae5d78e470dba1a4333124330848c332ebbc962132919ceb2c4fc13ba2ef556037f98eb8e26d4260837eda3c5a16976bf923979bbbda5746adef882fc130

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
95KB

MD5
df0af98e2ef89985a335dd3341a815c9

SHA1
1e0c8ed70b039c150d9d7be605f0932de493fd4c

SHA256
8b5ab7687c75c4ac31ea6d311a1a8d8b2ea6e1640055ab5dac4160de7bd1112e

SHA512
132bc3c06896986e8513a81a1d47814383cd9261e9814bf51a875179515e80519ab7d92614d95f5fdb3d0c9144ac999f533c764c0c21bbce60c7aa3e66d7d547

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
95KB

MD5
03a72d7e4fd875a3cc6f5eae3bfc0715

SHA1
b0db2220d74e888b344c923ca86bfaa5230a16fd

SHA256
dece6706d4fbf7de4cfb2aceb3bdccbcafd85884c89d0b0d9f07efadbdfeb3fb

SHA512
ad6faf749cb5b7585d9466b6e0637ac4c00dfa571595fe2531836f6d3f3ce43e71d2955714b3da10ed088d4f056f8a84325a077954d55078f9bbb09f0ab2bfe5

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
95KB

MD5
ef0d52cc5bf2bdede00a4d4a1eafebdc

SHA1
5dd130386e7ff7e31e8b965d724af1aa59404f78

SHA256
4897a5b29f6984fc2b48a2b4c2f64143259afec5da8853adace61d80f59a84ca

SHA512
e2e2f8080bed44836dda28a076ec952c7824f35fe5b1053758d112b9f7c045bb735aca4c6d6c658ba0dfb9c4c0447a29dae7fb8ea44f6b045fa97544d639accf

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
95KB

MD5
61057ead4f82b066387f8a198c9e3eb1

SHA1
f1c0675d50b7dafff349486523641001266e1935

SHA256
d310c6a13eb494c043cdb803ee15f586370687d96c377ea10b37c5ef58ab3c00

SHA512
8c4ad7028adb373c21bd2920da7d87bd3c06cece8f35e0d0b5b01fbe37dfb2f6cbeac9589b1bc0ae6d1936675ce70bc4e53815c3ad025faa90a1fb930a75221c

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
95KB

MD5
5fd6e046f6f97e46461eb44200d22333

SHA1
42f326d3a134a71033f5fcb8c6a642aa591edff8

SHA256
0e3e604fa7503b37447539cee8ee11854c88800ba936a55ad903f605a39cc5e6

SHA512
a5562b0c6c3aefbc5a78289c7ce74aef3c325f5c09072c137fe32ffd8390308f0d1360161e0889913637a7532d3b2910fe7cadfaca8c636c57423b2268cb67ea

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
95KB

MD5
e84d0cc6f4c20d3833254e1199f6f91b

SHA1
3854e565021f1b9d313ebcae33a86d6dcc544bcc

SHA256
3d5b770806ac617d2d77c5797a56fa448a91b3cac4d57062332ec5816b9a92ab

SHA512
53cfb344442dc0f11a8d8acb6531128364ed8ba5bc0eb489a27517c07c036978f4236038c1cb66798a02d42ea68b16b7bbe57ad1bd8a0ef7c9c37a943ee1ba5e

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
95KB

MD5
1d1a9d8857c6a9f9dc8543f378b82719

SHA1
e3da9ab2bcc68ee3c061421e5d9b1e94204f180a

SHA256
0adffa476955d2713bb1d2c59072bb99ea9b5ed3b8d8cb9dfa2f3bb3d021e1a3

SHA512
1ead3998ca34ce94817a6903fa79ecf4fd5fe16fc8bbda4d3fcf16cebc842b58258a109adb7d5196e55409a3982f2c5d3601d76a5e7d10a2f2710ac3e35a5117

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
95KB

MD5
92c23b10e71c989eb6678c552b7b06e4

SHA1
542a24852e0cd5bb93fc321bb3deb64fd22c006c

SHA256
c0671de6b08abd7695e40c79dc62f2ed01ca86fcc14ebdd7646f18828db126c7

SHA512
1cb621c58a428e35d0261600a212aa7226cb17657bf0a42b80f3efdb041be8ae7462e65a3781d7cb8b3250d5d9da1eaa91c3177cc26f387f47bc20bd7f66b5b7

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
95KB

MD5
2ddb8b29d53784f6f28310cad361c460

SHA1
4f32fae1140289b96c34f746ca3806054bfb6189

SHA256
cdceca963c4515d14c6d9d41cf423c82e6f6584280fa48143bf6a793e5248d1d

SHA512
33f5fa086c7e286c0e6adce491381f6026939c5929f99f910b6d672597c7ae91db59b2a487cc0dd25ebce3b832992877cd9060edf44fd4084d8cf5badc6dae7a

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
95KB

MD5
20ba7ccc1c28fba3f23882b65b99ed75

SHA1
5a8fa291814811fb24059cd9f78877300bdebc91

SHA256
fa536c8ba1f9764a81dabae81bb4316bfaf7f56cf946fb4680d99a12dfe6180a

SHA512
41db9a5898dabfc2ef056daefaa4b0a18645d99c0c551c9ee29d233cafbe80362dcdeedb76a51d28952a023e1043e419be8bb9b2818fc52876acf63a776e89fe

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
95KB

MD5
257bc6b10f9a76771ce3f084315c83f4

SHA1
8b128b814179fa2b290a96677c0523f221b58846

SHA256
77323ccd317c98c63ed2370eccb6192ab755c97eeb37c893ff19e6725e80fef4

SHA512
001125923be5422fe88a64d0b466e63630bff01321f24e27d539feb94423d68a6350f538c7b7f3272eb0ccac8211db7f3cda942573d7da77b544fb57797e0bad

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
95KB

MD5
dfd664baa31c2789480ce514b8d688bc

SHA1
82e069d47fd8a11ba14189d0280b44eeec8bad2c

SHA256
6443b57fc68be1b1703a77d1b993a28905bf19d3f3b04f46bbd14f70dbfa14ce

SHA512
1bbb05cc57ca70ec9e80d486a7bf4fdca45d63dbfef50d4fc344293bdb9bba7f253e7305bce6c74d959ca5c7c6b32bbd7e6de767354efa1c2e8622e0147724f4

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
95KB

MD5
7839dc4028943e6165b0dd4b392211ba

SHA1
784192adaede7c23aecfe7b2809dc43402eb0ed7

SHA256
2e9e4c5c0e5e9048fba3c40ee6911416eb1f7d3b66fb90a10749f722db5fabf4

SHA512
e7f3c8c41c17612536c4f4eebaef49ee071f352b40e2dda1cf295b0a2517cb869d89521f31d3f517b3f4f381996354cbd39a9b75f02bc0f0b8adf05feeb86848

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
64KB

MD5
493a2fa5c92951235932c5e66509e9d2

SHA1
d4d1a8c0cd7fc6465c53c3a36c9f8c1d4e6f329f

SHA256
0f2642ad387b6e298f2c10143027843dd2c1e315089bead6d328014ebb38557b

SHA512
558c60c1c71aa5b7ccff74e46fb8f1f33a4dedcf1a5c4982a5a6401aecb1f2364f9821800c39d2f5c2e7bfbe9612c071da025e1be4e2f486c61c9476aafe7f1c

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
95KB

MD5
670c949c1a7f0d34fc9ce5e96f600a15

SHA1
0e262d8bf84a4d2068a4b38882310e7b0ab2db5e

SHA256
7240bcadb5cd06353e8d0ce19dd0f081b16f18de849ae0da526c6f78c4477c82

SHA512
b4a207d108c79b8cf35c9e0401930ffc45a4a7d88d87eee1ca26bddf688f56159ae2ee0f32b2421a0a81e3b91d16dfcc81cf4635a40883c251f6518bca287d39

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
95KB

MD5
4b68cf602aeeff1bf67d99b0f7313cb7

SHA1
d596d85f2331bbebea32f24fe6649e45621e9175

SHA256
6d62274cb61d602f70d317dfae51487d4ff07a3a50eacf1affbade7e1e427225

SHA512
ce1460560704315ed90a6d302e796f63542cc3c451f30cf660cbec0c4702d4c1e13564e9fa63e6e90c710b2ba4bffce91af247af24b2d5f9a74b0289c77c2147

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
95KB

MD5
32756d3529090326bb97b323b08dfb52

SHA1
511326b715d68e9b936515ecf441742ce3b19312

SHA256
9034c4db398b8bcd6c414a955b67302f31d7a62df3a696040cb368354ec52d9a

SHA512
d74c3204bd9a2ea42cbbc361c14c557b3c5578439e9ba6c4b452a5f8ff5922290dea8a0bf18b34e9ffde1ab206aa220280e4c9ee523d66cb2ed614adb004ee22

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
95KB

MD5
cf52e374b0964de9e699cc8977109871

SHA1
28d0a219c585643a9caea11fd85a97c3be2c3d44

SHA256
e49ddf7ebc06acec35b0fd8b5c02cd7f628bb83d3c9f17cfe2305c21b66d1e21

SHA512
d1b5ea24fd10396d71ab30a153df13448f4b10c4b7c4afba87eddd1ca410480034ba6324f405263888fa87381ffd51c22865c806c18deba6d79da2efe22f8ce3

Download Submit
memory/396-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/596-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1396-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1396-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1740-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1744-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3248-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3740-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3744-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3748-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3984-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4228-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4272-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-555-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5108-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5176-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5220-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5264-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5312-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5356-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads