60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Size

320KB
MD5

c898b9fc432a9b62910e9218e250b389
SHA1

9c2d37f9ded2b8cc22f11ca10404d76cb3f00616
SHA256

60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c
SHA512

92ce16029639ef0c6a52b8cb4e2b9b36cc7b139d4864ed2fb1cf3639f588d78bbdc723873e0d1ebe6fd43874b1cdb9dd2706a07377bd670ca2728856b0418122
SSDEEP

6144:aIPTqfw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojw7:aIPRlr54ujjgjk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hkfgnldd.exeIabcbg32.exeOiglfm32.exeDfbdje32.exeFangfcki.exeGphmbolk.exeLojeda32.exePjfdpckc.exeQoopie32.exeDeimaa32.exe60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exeKplfmfmf.exeObopobhe.exeEmnelbdi.exeFeppqc32.exeKghkppbp.exeCjbpoeoj.exeKpiihgoh.exeLgjcdc32.exeOedclm32.exeGgmldj32.exeMdkcgk32.exeCgfqii32.exeFhlogo32.exeHkdkhl32.exeJhgnbehe.exeAlqplmlb.exeFdjfmolo.exeNqbdllld.exeBdehgnqc.exeCincaq32.exeEjmljg32.exeDkaihkih.exeApgcbmha.exeGhcbga32.exeHmojfcdk.exeMqgahh32.exeBlcmbmip.exeIjjgkmqh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfgnldd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabcbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiglfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfbdje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fangfcki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmbolk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojeda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjfdpckc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qoopie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deimaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplfmfmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnelbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feppqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kghkppbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpoeoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnelbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiihgoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjcdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oedclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fangfcki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmldj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjcdc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfqii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhlogo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdkhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgnbehe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojeda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqplmlb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdjfmolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqbdllld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmldj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplfmfmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdehgnqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhlogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdjfmolo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cincaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cincaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejmljg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmbolk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkdkhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdehgnqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkaihkih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkaihkih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbdllld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qoopie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgcbmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqplmlb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghcbga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmojfcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkfgnldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabcbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blcmbmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfqii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmljg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmojfcdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijjgkmqh.exe

Executes dropped EXE 40 IoCs

Processes:

Iabcbg32.exeIjjgkmqh.exeJhgnbehe.exeKpiihgoh.exeKplfmfmf.exeKghkppbp.exeLojeda32.exeLgjcdc32.exeMqgahh32.exeMdkcgk32.exeNqbdllld.exeOiglfm32.exeObopobhe.exeOedclm32.exePjfdpckc.exeQoopie32.exeAoamoefh.exeApgcbmha.exeAlqplmlb.exeBlcmbmip.exeBdehgnqc.exeCjbpoeoj.exeCgfqii32.exeCincaq32.exeDfbdje32.exeDkaihkih.exeDeimaa32.exeEjmljg32.exeEmnelbdi.exeFhlogo32.exeFeppqc32.exeFdjfmolo.exeFangfcki.exeGgmldj32.exeGphmbolk.exeGhcbga32.exeHkdkhl32.exeHkfgnldd.exeHmojfcdk.exeIqmcmaja.exe

pid	process
2892	Iabcbg32.exe
2820	Ijjgkmqh.exe
2836	Jhgnbehe.exe
2148	Kpiihgoh.exe
2732	Kplfmfmf.exe
2592	Kghkppbp.exe
1676	Lojeda32.exe
2108	Lgjcdc32.exe
2956	Mqgahh32.exe
3068	Mdkcgk32.exe
1984	Nqbdllld.exe
2900	Oiglfm32.exe
1744	Obopobhe.exe
2236	Oedclm32.exe
368	Pjfdpckc.exe
2216	Qoopie32.exe
1076	Aoamoefh.exe
696	Apgcbmha.exe
640	Alqplmlb.exe
2436	Blcmbmip.exe
2000	Bdehgnqc.exe
1656	Cjbpoeoj.exe
2544	Cgfqii32.exe
2324	Cincaq32.exe
2276	Dfbdje32.exe
1576	Dkaihkih.exe
2860	Deimaa32.exe
2408	Ejmljg32.exe
2456	Emnelbdi.exe
2740	Fhlogo32.exe
2876	Feppqc32.exe
1660	Fdjfmolo.exe
2508	Fangfcki.exe
1484	Ggmldj32.exe
3040	Gphmbolk.exe
2300	Ghcbga32.exe
3028	Hkdkhl32.exe
1996	Hkfgnldd.exe
2348	Hmojfcdk.exe
1728	Iqmcmaja.exe

Loads dropped DLL 64 IoCs

Processes:

60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exeIabcbg32.exeIjjgkmqh.exeJhgnbehe.exeKpiihgoh.exeKplfmfmf.exeKghkppbp.exeLojeda32.exeLgjcdc32.exeMqgahh32.exeMdkcgk32.exeNqbdllld.exeOiglfm32.exeObopobhe.exeOedclm32.exePjfdpckc.exeQoopie32.exeAoamoefh.exeApgcbmha.exeAlqplmlb.exeBlcmbmip.exeBdehgnqc.exeCjbpoeoj.exeCgfqii32.exeCincaq32.exeDfbdje32.exeDkaihkih.exeDeimaa32.exeEjmljg32.exeEmnelbdi.exeFhlogo32.exeFeppqc32.exe

pid	process
392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
2892	Iabcbg32.exe
2892	Iabcbg32.exe
2820	Ijjgkmqh.exe
2820	Ijjgkmqh.exe
2836	Jhgnbehe.exe
2836	Jhgnbehe.exe
2148	Kpiihgoh.exe
2148	Kpiihgoh.exe
2732	Kplfmfmf.exe
2732	Kplfmfmf.exe
2592	Kghkppbp.exe
2592	Kghkppbp.exe
1676	Lojeda32.exe
1676	Lojeda32.exe
2108	Lgjcdc32.exe
2108	Lgjcdc32.exe
2956	Mqgahh32.exe
2956	Mqgahh32.exe
3068	Mdkcgk32.exe
3068	Mdkcgk32.exe
1984	Nqbdllld.exe
1984	Nqbdllld.exe
2900	Oiglfm32.exe
2900	Oiglfm32.exe
1744	Obopobhe.exe
1744	Obopobhe.exe
2236	Oedclm32.exe
2236	Oedclm32.exe
368	Pjfdpckc.exe
368	Pjfdpckc.exe
2216	Qoopie32.exe
2216	Qoopie32.exe
1076	Aoamoefh.exe
1076	Aoamoefh.exe
696	Apgcbmha.exe
696	Apgcbmha.exe
640	Alqplmlb.exe
640	Alqplmlb.exe
2436	Blcmbmip.exe
2436	Blcmbmip.exe
2000	Bdehgnqc.exe
2000	Bdehgnqc.exe
1656	Cjbpoeoj.exe
1656	Cjbpoeoj.exe
2544	Cgfqii32.exe
2544	Cgfqii32.exe
2324	Cincaq32.exe
2324	Cincaq32.exe
2276	Dfbdje32.exe
2276	Dfbdje32.exe
1576	Dkaihkih.exe
1576	Dkaihkih.exe
2860	Deimaa32.exe
2860	Deimaa32.exe
2408	Ejmljg32.exe
2408	Ejmljg32.exe
2456	Emnelbdi.exe
2456	Emnelbdi.exe
2740	Fhlogo32.exe
2740	Fhlogo32.exe
2876	Feppqc32.exe
2876	Feppqc32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kpiihgoh.exeKplfmfmf.exeGphmbolk.exeFhlogo32.exeGhcbga32.exeIjjgkmqh.exeJhgnbehe.exeLgjcdc32.exeEmnelbdi.exeBlcmbmip.exeHkdkhl32.exeHkfgnldd.exeFangfcki.exeHmojfcdk.exeQoopie32.exeDfbdje32.exeDkaihkih.exeDeimaa32.exeOedclm32.exePjfdpckc.exeApgcbmha.exeKghkppbp.exeMdkcgk32.exeOiglfm32.exeFeppqc32.exeFdjfmolo.exeIabcbg32.exeGgmldj32.exe60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exeBdehgnqc.exeNqbdllld.exeCgfqii32.exeEjmljg32.exeAlqplmlb.exeMqgahh32.exeCjbpoeoj.exeLojeda32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Oonopkmp.dll	Kpiihgoh.exe
File opened for modification	C:\Windows\SysWOW64\Kghkppbp.exe	Kplfmfmf.exe
File created	C:\Windows\SysWOW64\Bbojchdc.dll	Gphmbolk.exe
File created	C:\Windows\SysWOW64\Feppqc32.exe	Fhlogo32.exe
File created	C:\Windows\SysWOW64\Hhcheobh.dll	Ghcbga32.exe
File created	C:\Windows\SysWOW64\Jljkakol.dll	Ijjgkmqh.exe
File created	C:\Windows\SysWOW64\Kpiihgoh.exe	Jhgnbehe.exe
File created	C:\Windows\SysWOW64\Dncodq32.dll	Lgjcdc32.exe
File created	C:\Windows\SysWOW64\Fhlogo32.exe	Emnelbdi.exe
File opened for modification	C:\Windows\SysWOW64\Bdehgnqc.exe	Blcmbmip.exe
File created	C:\Windows\SysWOW64\Hkfgnldd.exe	Hkdkhl32.exe
File opened for modification	C:\Windows\SysWOW64\Hmojfcdk.exe	Hkfgnldd.exe
File created	C:\Windows\SysWOW64\Ggmldj32.exe	Fangfcki.exe
File created	C:\Windows\SysWOW64\Eocmqiih.dll	Fangfcki.exe
File created	C:\Windows\SysWOW64\Maonll32.dll	Hmojfcdk.exe
File created	C:\Windows\SysWOW64\Aoamoefh.exe	Qoopie32.exe
File created	C:\Windows\SysWOW64\Dkaihkih.exe	Dfbdje32.exe
File created	C:\Windows\SysWOW64\Deimaa32.exe	Dkaihkih.exe
File opened for modification	C:\Windows\SysWOW64\Ejmljg32.exe	Deimaa32.exe
File opened for modification	C:\Windows\SysWOW64\Pjfdpckc.exe	Oedclm32.exe
File created	C:\Windows\SysWOW64\Qoopie32.exe	Pjfdpckc.exe
File created	C:\Windows\SysWOW64\Alqplmlb.exe	Apgcbmha.exe
File created	C:\Windows\SysWOW64\Bdehgnqc.exe	Blcmbmip.exe
File created	C:\Windows\SysWOW64\Lojeda32.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Nqbdllld.exe	Mdkcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqbdllld.exe	Mdkcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Obopobhe.exe	Oiglfm32.exe
File created	C:\Windows\SysWOW64\Clangg32.dll	Feppqc32.exe
File opened for modification	C:\Windows\SysWOW64\Fangfcki.exe	Fdjfmolo.exe
File opened for modification	C:\Windows\SysWOW64\Ggmldj32.exe	Fangfcki.exe
File created	C:\Windows\SysWOW64\Ijjgkmqh.exe	Iabcbg32.exe
File created	C:\Windows\SysWOW64\Nhkddaih.dll	Iabcbg32.exe
File opened for modification	C:\Windows\SysWOW64\Aoamoefh.exe	Qoopie32.exe
File created	C:\Windows\SysWOW64\Ihckdmko.dll	Ggmldj32.exe
File created	C:\Windows\SysWOW64\Iabcbg32.exe	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
File created	C:\Windows\SysWOW64\Cjbpoeoj.exe	Bdehgnqc.exe
File created	C:\Windows\SysWOW64\Hmojfcdk.exe	Hkfgnldd.exe
File opened for modification	C:\Windows\SysWOW64\Oiglfm32.exe	Nqbdllld.exe
File opened for modification	C:\Windows\SysWOW64\Feppqc32.exe	Fhlogo32.exe
File created	C:\Windows\SysWOW64\Papojn32.dll	Fdjfmolo.exe
File created	C:\Windows\SysWOW64\Ghcbga32.exe	Gphmbolk.exe
File created	C:\Windows\SysWOW64\Jabeia32.dll	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Ejfagnkj.dll	Cgfqii32.exe
File created	C:\Windows\SysWOW64\Pgpdjb32.dll	Dfbdje32.exe
File opened for modification	C:\Windows\SysWOW64\Deimaa32.exe	Dkaihkih.exe
File created	C:\Windows\SysWOW64\Qooplh32.dll	Kplfmfmf.exe
File created	C:\Windows\SysWOW64\Pdbabndd.dll	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Fdjfmolo.exe	Feppqc32.exe
File created	C:\Windows\SysWOW64\Gphmbolk.exe	Ggmldj32.exe
File created	C:\Windows\SysWOW64\Odefpfcd.dll	Apgcbmha.exe
File created	C:\Windows\SysWOW64\Emnelbdi.exe	Ejmljg32.exe
File created	C:\Windows\SysWOW64\Iqmcmaja.exe	Hmojfcdk.exe
File created	C:\Windows\SysWOW64\Blcmbmip.exe	Alqplmlb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpoeoj.exe	Bdehgnqc.exe
File created	C:\Windows\SysWOW64\Labphb32.dll	Deimaa32.exe
File opened for modification	C:\Windows\SysWOW64\Fhlogo32.exe	Emnelbdi.exe
File created	C:\Windows\SysWOW64\Fangfcki.exe	Fdjfmolo.exe
File opened for modification	C:\Windows\SysWOW64\Lojeda32.exe	Kghkppbp.exe
File created	C:\Windows\SysWOW64\Jbkicgjf.dll	Mqgahh32.exe
File created	C:\Windows\SysWOW64\Obopobhe.exe	Oiglfm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfqii32.exe	Cjbpoeoj.exe
File opened for modification	C:\Windows\SysWOW64\Hkfgnldd.exe	Hkdkhl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgjcdc32.exe	Lojeda32.exe
File opened for modification	C:\Windows\SysWOW64\Alqplmlb.exe	Apgcbmha.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

592 1728 WerFault.exe Iqmcmaja.exe

pid	pid_target	process	target process
592	1728	WerFault.exe	Iqmcmaja.exe

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Mqgahh32.exeNqbdllld.exeCgfqii32.exe60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exeKpiihgoh.exePjfdpckc.exeDeimaa32.exeIqmcmaja.exeKplfmfmf.exeCjbpoeoj.exeDkaihkih.exeGphmbolk.exeHkfgnldd.exeLojeda32.exeLgjcdc32.exeApgcbmha.exeAlqplmlb.exeBdehgnqc.exeOiglfm32.exeAoamoefh.exeBlcmbmip.exeFhlogo32.exeGhcbga32.exeHkdkhl32.exeMdkcgk32.exeEjmljg32.exeFeppqc32.exeGgmldj32.exeHmojfcdk.exeObopobhe.exeDfbdje32.exeCincaq32.exeEmnelbdi.exeIabcbg32.exeIjjgkmqh.exeJhgnbehe.exeKghkppbp.exeOedclm32.exeQoopie32.exeFdjfmolo.exeFangfcki.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqgahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbdllld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfqii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiihgoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjfdpckc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deimaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplfmfmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpoeoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkaihkih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gphmbolk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfgnldd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojeda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjcdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgcbmha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqplmlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdehgnqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiglfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoamoefh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blcmbmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhlogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghcbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdkcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmljg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feppqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggmldj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmojfcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obopobhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfbdje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cincaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnelbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabcbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijjgkmqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgnbehe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kghkppbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oedclm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qoopie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdjfmolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fangfcki.exe

Modifies registry class 64 IoCs

Processes:

Gphmbolk.exeMdkcgk32.exeOiglfm32.exeFeppqc32.exeDfbdje32.exeHkdkhl32.exeMqgahh32.exeOedclm32.exeQoopie32.exeIjjgkmqh.exeLojeda32.exeIabcbg32.exeBdehgnqc.exeGgmldj32.exeObopobhe.exeDeimaa32.exeNqbdllld.exeFhlogo32.exeLgjcdc32.exe60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exeBlcmbmip.exeFangfcki.exeGhcbga32.exeCgfqii32.exeEjmljg32.exeHmojfcdk.exeKghkppbp.exeAoamoefh.exeAlqplmlb.exeKplfmfmf.exeJhgnbehe.exeHkfgnldd.exeCincaq32.exeKpiihgoh.exeCjbpoeoj.exeDkaihkih.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll"	Gphmbolk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmbolk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabeia32.dll"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcckc32.dll"	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feppqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpdjb32.dll"	Dfbdje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkdkhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfighccb.dll"	Oedclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qoopie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijjgkmqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll"	Lojeda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabcbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncilhik.dll"	Bdehgnqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqgahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihckdmko.dll"	Ggmldj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnmblgo.dll"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deimaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labphb32.dll"	Deimaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbdllld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deimaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkicgjf.dll"	Mqgahh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhlogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgjcdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eighpgge.dll"	Nqbdllld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blcmbmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmqiih.dll"	Fangfcki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghcbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dienco32.dll"	Qoopie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfqii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmljg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fangfcki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll"	Hmojfcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbabndd.dll"	Kghkppbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbdllld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oedclm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoamoefh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqplmlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmbolk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcheobh.dll"	Ghcbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll"	Ijjgkmqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooplh32.dll"	Kplfmfmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdehgnqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfagnkj.dll"	Cgfqii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkdkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhgnbehe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldcifi.dll"	Hkfgnldd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjcdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdehgnqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfalc32.dll"	Cincaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqgaenpf.dll"	Hkdkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonopkmp.dll"	Kpiihgoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplfmfmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmpiog.dll"	Alqplmlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blcmbmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll"	Cjbpoeoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkaihkih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcnjo32.dll"	Dkaihkih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabcbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 392 wrote to memory of 2892	392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe	Iabcbg32.exe
PID 392 wrote to memory of 2892	392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe	Iabcbg32.exe
PID 392 wrote to memory of 2892	392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe	Iabcbg32.exe
PID 392 wrote to memory of 2892	392	60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe	Iabcbg32.exe
PID 2892 wrote to memory of 2820	2892	Iabcbg32.exe	Ijjgkmqh.exe
PID 2892 wrote to memory of 2820	2892	Iabcbg32.exe	Ijjgkmqh.exe
PID 2892 wrote to memory of 2820	2892	Iabcbg32.exe	Ijjgkmqh.exe
PID 2892 wrote to memory of 2820	2892	Iabcbg32.exe	Ijjgkmqh.exe
PID 2820 wrote to memory of 2836	2820	Ijjgkmqh.exe	Jhgnbehe.exe
PID 2820 wrote to memory of 2836	2820	Ijjgkmqh.exe	Jhgnbehe.exe
PID 2820 wrote to memory of 2836	2820	Ijjgkmqh.exe	Jhgnbehe.exe
PID 2820 wrote to memory of 2836	2820	Ijjgkmqh.exe	Jhgnbehe.exe
PID 2836 wrote to memory of 2148	2836	Jhgnbehe.exe	Kpiihgoh.exe
PID 2836 wrote to memory of 2148	2836	Jhgnbehe.exe	Kpiihgoh.exe
PID 2836 wrote to memory of 2148	2836	Jhgnbehe.exe	Kpiihgoh.exe
PID 2836 wrote to memory of 2148	2836	Jhgnbehe.exe	Kpiihgoh.exe
PID 2148 wrote to memory of 2732	2148	Kpiihgoh.exe	Kplfmfmf.exe
PID 2148 wrote to memory of 2732	2148	Kpiihgoh.exe	Kplfmfmf.exe
PID 2148 wrote to memory of 2732	2148	Kpiihgoh.exe	Kplfmfmf.exe
PID 2148 wrote to memory of 2732	2148	Kpiihgoh.exe	Kplfmfmf.exe
PID 2732 wrote to memory of 2592	2732	Kplfmfmf.exe	Kghkppbp.exe
PID 2732 wrote to memory of 2592	2732	Kplfmfmf.exe	Kghkppbp.exe
PID 2732 wrote to memory of 2592	2732	Kplfmfmf.exe	Kghkppbp.exe
PID 2732 wrote to memory of 2592	2732	Kplfmfmf.exe	Kghkppbp.exe
PID 2592 wrote to memory of 1676	2592	Kghkppbp.exe	Lojeda32.exe
PID 2592 wrote to memory of 1676	2592	Kghkppbp.exe	Lojeda32.exe
PID 2592 wrote to memory of 1676	2592	Kghkppbp.exe	Lojeda32.exe
PID 2592 wrote to memory of 1676	2592	Kghkppbp.exe	Lojeda32.exe
PID 1676 wrote to memory of 2108	1676	Lojeda32.exe	Lgjcdc32.exe
PID 1676 wrote to memory of 2108	1676	Lojeda32.exe	Lgjcdc32.exe
PID 1676 wrote to memory of 2108	1676	Lojeda32.exe	Lgjcdc32.exe
PID 1676 wrote to memory of 2108	1676	Lojeda32.exe	Lgjcdc32.exe
PID 2108 wrote to memory of 2956	2108	Lgjcdc32.exe	Mqgahh32.exe
PID 2108 wrote to memory of 2956	2108	Lgjcdc32.exe	Mqgahh32.exe
PID 2108 wrote to memory of 2956	2108	Lgjcdc32.exe	Mqgahh32.exe
PID 2108 wrote to memory of 2956	2108	Lgjcdc32.exe	Mqgahh32.exe
PID 2956 wrote to memory of 3068	2956	Mqgahh32.exe	Mdkcgk32.exe
PID 2956 wrote to memory of 3068	2956	Mqgahh32.exe	Mdkcgk32.exe
PID 2956 wrote to memory of 3068	2956	Mqgahh32.exe	Mdkcgk32.exe
PID 2956 wrote to memory of 3068	2956	Mqgahh32.exe	Mdkcgk32.exe
PID 3068 wrote to memory of 1984	3068	Mdkcgk32.exe	Nqbdllld.exe
PID 3068 wrote to memory of 1984	3068	Mdkcgk32.exe	Nqbdllld.exe
PID 3068 wrote to memory of 1984	3068	Mdkcgk32.exe	Nqbdllld.exe
PID 3068 wrote to memory of 1984	3068	Mdkcgk32.exe	Nqbdllld.exe
PID 1984 wrote to memory of 2900	1984	Nqbdllld.exe	Oiglfm32.exe
PID 1984 wrote to memory of 2900	1984	Nqbdllld.exe	Oiglfm32.exe
PID 1984 wrote to memory of 2900	1984	Nqbdllld.exe	Oiglfm32.exe
PID 1984 wrote to memory of 2900	1984	Nqbdllld.exe	Oiglfm32.exe
PID 2900 wrote to memory of 1744	2900	Oiglfm32.exe	Obopobhe.exe
PID 2900 wrote to memory of 1744	2900	Oiglfm32.exe	Obopobhe.exe
PID 2900 wrote to memory of 1744	2900	Oiglfm32.exe	Obopobhe.exe
PID 2900 wrote to memory of 1744	2900	Oiglfm32.exe	Obopobhe.exe
PID 1744 wrote to memory of 2236	1744	Obopobhe.exe	Oedclm32.exe
PID 1744 wrote to memory of 2236	1744	Obopobhe.exe	Oedclm32.exe
PID 1744 wrote to memory of 2236	1744	Obopobhe.exe	Oedclm32.exe
PID 1744 wrote to memory of 2236	1744	Obopobhe.exe	Oedclm32.exe
PID 2236 wrote to memory of 368	2236	Oedclm32.exe	Pjfdpckc.exe
PID 2236 wrote to memory of 368	2236	Oedclm32.exe	Pjfdpckc.exe
PID 2236 wrote to memory of 368	2236	Oedclm32.exe	Pjfdpckc.exe
PID 2236 wrote to memory of 368	2236	Oedclm32.exe	Pjfdpckc.exe
PID 368 wrote to memory of 2216	368	Pjfdpckc.exe	Qoopie32.exe
PID 368 wrote to memory of 2216	368	Pjfdpckc.exe	Qoopie32.exe
PID 368 wrote to memory of 2216	368	Pjfdpckc.exe	Qoopie32.exe
PID 368 wrote to memory of 2216	368	Pjfdpckc.exe	Qoopie32.exe

C:\Users\Admin\AppData\Local\Temp\60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe
"C:\Users\Admin\AppData\Local\Temp\60d763244a754acb00cf2dc9b9e7b604efafac871340cefe763d19ac9ae4126c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\Iabcbg32.exe
  C:\Windows\system32\Iabcbg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Ijjgkmqh.exe
    C:\Windows\system32\Ijjgkmqh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Jhgnbehe.exe
      C:\Windows\system32\Jhgnbehe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Kpiihgoh.exe
        
        C:\Windows\system32\Kpiihgoh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\Kplfmfmf.exe
        
        C:\Windows\system32\Kplfmfmf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Kghkppbp.exe
        
        C:\Windows\system32\Kghkppbp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Lojeda32.exe
        
        C:\Windows\system32\Lojeda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Lgjcdc32.exe
        
        C:\Windows\system32\Lgjcdc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Mqgahh32.exe
        
        C:\Windows\system32\Mqgahh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Mdkcgk32.exe
        
        C:\Windows\system32\Mdkcgk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Nqbdllld.exe
        
        C:\Windows\system32\Nqbdllld.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Oiglfm32.exe
        
        C:\Windows\system32\Oiglfm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Obopobhe.exe
        
        C:\Windows\system32\Obopobhe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Oedclm32.exe
        
        C:\Windows\system32\Oedclm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Pjfdpckc.exe
        
        C:\Windows\system32\Pjfdpckc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Qoopie32.exe
        
        C:\Windows\system32\Qoopie32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Aoamoefh.exe
        
        C:\Windows\system32\Aoamoefh.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Apgcbmha.exe
        
        C:\Windows\system32\Apgcbmha.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Alqplmlb.exe
        
        C:\Windows\system32\Alqplmlb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Blcmbmip.exe
        
        C:\Windows\system32\Blcmbmip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Bdehgnqc.exe
        
        C:\Windows\system32\Bdehgnqc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cjbpoeoj.exe
        
        C:\Windows\system32\Cjbpoeoj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cgfqii32.exe
        
        C:\Windows\system32\Cgfqii32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cincaq32.exe
        
        C:\Windows\system32\Cincaq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Dfbdje32.exe
        
        C:\Windows\system32\Dfbdje32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Dkaihkih.exe
        
        C:\Windows\system32\Dkaihkih.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Deimaa32.exe
        
        C:\Windows\system32\Deimaa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ejmljg32.exe
        
        C:\Windows\system32\Ejmljg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Emnelbdi.exe
        
        C:\Windows\system32\Emnelbdi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Fhlogo32.exe
        
        C:\Windows\system32\Fhlogo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Feppqc32.exe
        
        C:\Windows\system32\Feppqc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Fdjfmolo.exe
        
        C:\Windows\system32\Fdjfmolo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Fangfcki.exe
        
        C:\Windows\system32\Fangfcki.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ggmldj32.exe
        
        C:\Windows\system32\Ggmldj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Gphmbolk.exe
        
        C:\Windows\system32\Gphmbolk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ghcbga32.exe
        
        C:\Windows\system32\Ghcbga32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Hkdkhl32.exe
        
        C:\Windows\system32\Hkdkhl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hkfgnldd.exe
        
        C:\Windows\system32\Hkfgnldd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Hmojfcdk.exe
        
        C:\Windows\system32\Hmojfcdk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 140
        42⤵
        Program crash
        
        PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alqplmlb.exe

Filesize
320KB

MD5
a65d0728fb566eb21cc7d92cdb69b30f

SHA1
eb130c8efd4c3be266b6259b71dc769947328819

SHA256
4783c9e31c278ed280ada8fadb5e13abf16e5154de03d4d61908d8c62345ea11

SHA512
ee05d37b28234145d6118d77e047d9ff43326f8f3f364ca4575d41958329ba10bcd6d9c3d4fc8f872422983f1181df840e56a5430f06d35a89395dcb4f1b9386

Download Submit
C:\Windows\SysWOW64\Aoamoefh.exe

Filesize
320KB

MD5
f020af1247be85cb78d2e4a591e0c126

SHA1
6d08dea08da46f333b9b854f197d17366e7497a6

SHA256
f23fbd5e6624a1c91905fad2ae77cdf1682d5e8713b04a87cdd8064899af20e4

SHA512
cfec17a2b260b90249450a591fbd8161eb7cfec2ea3f5eda9a1f45a718263da491cc35fea81dc0c5c22fe434411a1972d0a5635ffdbd006f4a821627172b136f

Download Submit
C:\Windows\SysWOW64\Apgcbmha.exe

Filesize
320KB

MD5
321ff4404c4c73e8798f17796b0204cd

SHA1
d2a3634f8b0c8a99f6b188d6916e25697248a7b7

SHA256
34de3906a44eac13fc78c0473a1b62ccad7765608ba8568bfa0dfc47255a2827

SHA512
bbf45996295cae872294a1e0af7a71000ee47447db7033d886ffee6f56757e3c90faf5243b1406f14fd24062bf7ac8be78ed84db15f8478ef3cf15cf70a108d4

Download Submit
C:\Windows\SysWOW64\Bdehgnqc.exe

Filesize
320KB

MD5
6b9d9bfb03d028419d212a471eb1ae34

SHA1
af51e98b04f33897e8fb4cb12510e8dabf78047b

SHA256
04cea23e0b6558be5eced10e2182502f745546645635e720263368089b873021

SHA512
44a118cc57041424ee5d108e6eb32f231331df6c4cab8a696eec8535d0523d484dffe935bc374f013521071781611c86bf71baa7c69ef474d07e7d8289362910

Download Submit
C:\Windows\SysWOW64\Blcmbmip.exe

Filesize
320KB

MD5
f2badd4bfe4540e93adcbf90a9d02cb5

SHA1
73dce3b2db2dd3242b311b4d447f715f26952104

SHA256
f205775262f96bb4e4184a414f4753a858b081bd34187245b6a92e7e5bac3cc7

SHA512
74b757c963d6f421aadbc6efcff457789d2dd635e407c13da2ce582ce0b53843f5ab5b5240f00c476693217d065eefefb56227cb257310186890b205c9421ee4

Download Submit
C:\Windows\SysWOW64\Cgfqii32.exe

Filesize
320KB

MD5
8644a5c80acd170b0dba5dcd1ca1c03c

SHA1
1ea8d0f4f3159ecfabd560e9aa5458501a02963e

SHA256
33f7f52d2cf263d35362ff732f2e7ef0fb71ba8d07e6478d975576a476a06b3a

SHA512
c901f05a589f3d226329a47f086e6d9b3044de97ce328a002a32bde789903575ec68500d2e8da736d3d4ab46a65bd73456931b05db11f60c93843597f4521385

Download Submit
C:\Windows\SysWOW64\Cincaq32.exe

Filesize
320KB

MD5
ef5df5aa62cdb60716bd3c79105b5453

SHA1
d2c869248032e76c561acf2c766cd1ab8edab46c

SHA256
9ee2c705364d7eaa40872c4ad96c2f1e93cd9682ff7e670c1db71e556cb57643

SHA512
ee929409ccf73b18cad37d2eb498068c7dcef706b6a250425c808fd3fd3cd735c3dac2e6cc3dea84d2b3a8da48fce122ae36548bc84f132f7f35a251de0f22a8

Download Submit
C:\Windows\SysWOW64\Cjbpoeoj.exe

Filesize
320KB

MD5
0f473009895d8614e281b6ad576124fe

SHA1
56a474e62779fb32d3b1e530f9ffb59a325e6e2b

SHA256
c3a2d33e4535d6ebe6099faac38e535346d28ec9ab821267208fd3762835e922

SHA512
c12b829068371cc771e73a16736cd52ceb3ab93529d690c750e2646d71f04f9a1a5eeaca66e756cecc7a6d6e8e584778dd507a3f5fd5f0f180a960fc7d0ed37a

Download Submit
C:\Windows\SysWOW64\Deimaa32.exe

Filesize
320KB

MD5
919fa68f03e923e039d3a391225d1169

SHA1
031dc16bfb3e110cf2cc80ee66fc2bb3590134f8

SHA256
d67c8766c926acf78f049f3657b227a563a16c90dceb6996606726745c8d9f76

SHA512
c6a79269d4a5144af0bdf113bec1044451bb623f9e788af9b791734f89cbe3e0b9dd653ef67649c62d8489d14e3200d1e7c8d9ae9cba555823543cd96dcdab46

Download Submit
C:\Windows\SysWOW64\Dfbdje32.exe

Filesize
320KB

MD5
c447252a3f57f51cab4bdde62c66ed7d

SHA1
4a889db9ec08fa060d69d41b6208b1ba4a8f9af9

SHA256
10792a516bb995d158dd5a356adc7300ac38a25e1965338649d849bc4577155d

SHA512
b86d2c04bec546f16997fe71a6510ad34bd0a781268e322149ae83aec7f25e157f97caab0a5476b904fde9e1924034d997cbb20ff3045175c21ad32edd76709f

Download Submit
C:\Windows\SysWOW64\Dkaihkih.exe

Filesize
320KB

MD5
d50b71d65eb30a67770e3c488c71a57a

SHA1
f1afd7eb12620951953eab4f9c3e603d99cce875

SHA256
38482e3f7a915b0bd4517b5e7091c9d2aaa0e53993176e7a39e31dc4429fcb6e

SHA512
948f4bc58b4a397d88f5a367c5a7088bd4ac116a61cc149316dcdb036aad2dcdda78c262117ddc5c8cfba992b131b0b2fae8c2e8cf5bf4a2e19ec668b41e9ba5

Download Submit
C:\Windows\SysWOW64\Ejmljg32.exe

Filesize
320KB

MD5
0d153b8c52657849c8cf5adce7028d3b

SHA1
208a5dae6cb39b0c22f639446526ab458d35a6b3

SHA256
c50cd6ae092461a4a5554b1fa8c91010cbfa1529568ca4ffd08e1bd37e046b10

SHA512
c797fb30b53c333146d2412243f454d2eac25bef81b5a63465dc4b055c3c9d3fccab0cb088800bc2863039262247934a1de95c7b71413c353c86a5bdef296ffe

Download Submit
C:\Windows\SysWOW64\Emnelbdi.exe

Filesize
320KB

MD5
66638455e3046e58a1bd714749e93dab

SHA1
627175d92b5ec2d8acf262c31d74c0f355d4bb05

SHA256
943447b2edc16582b61dcd8eb8a30e89f370c4a4e898957bb3bbefd58f9d2915

SHA512
09d514c51db644bd6b44d6b2425d28a21f37f3bf369c0b358823050052df450c68703a4d17a4996914e5b2448ae5810964d526611026689d9fdb7f59b3e87c0c

Download Submit
C:\Windows\SysWOW64\Fangfcki.exe

Filesize
320KB

MD5
bcdef77a94cc569465903e295f834318

SHA1
cb2a9d1056760357f1e4146b0bd751950225ba2a

SHA256
b13a75df8f1da2c33442e1c3645c9d6f10a5e7f461ab5310fdc03a5e80bdf9bc

SHA512
8a89737e78668e6dcf5c8f061411090661d058f0fe0308330f7c6684904b3fbf2458231ac9694a96f40b54a7528b45cda8f74de81ec5de616f4088377a82019c

Download Submit
C:\Windows\SysWOW64\Fdjfmolo.exe

Filesize
320KB

MD5
6da53ead6192713fc8ac5dad3829476a

SHA1
d3c4e2670e438375f53d516b6c61d35123a3e059

SHA256
e5720be43953699ec6279a4358798081f2dc8421ed9f4c1a28c617cd6bb7322f

SHA512
a1c884cee291cd6069ff243624e8014c7b75f394da50aadaf0b1c325fc376b3b6287b0212c0d7101b40085c4da918bed197024182199d257eada96e5401612be

Download Submit
C:\Windows\SysWOW64\Feppqc32.exe

Filesize
320KB

MD5
d7c6425fa8e680fdd6edf60b293073f0

SHA1
879507320707968ec3771e63c23d4ddb917baea5

SHA256
d774b17f286607e9206553281c0802ad030de9eb72fd0714f8cf843ad07e02ff

SHA512
f20a458e0e32665b9681dc33b9e5007575660babd676aa094b80f88475c0121fe9b44848b1504d477cb69620fd1252442fc469d86dafc6c438d91920f475a0ee

Download Submit
C:\Windows\SysWOW64\Fhlogo32.exe

Filesize
320KB

MD5
8512804b1beec0a699129928000bb02c

SHA1
29846cfc00ab6f501c5884549ec2d52301a1f164

SHA256
5771dff074c42dc4b7a867f967fdaad61fed0576ced233e379fa4d1fcb1488df

SHA512
1d615b79df8e68a2dddea80e3d39bf9ade97cbd0a75de3f8d85476331b3a0261197d40ad3ce6544a2a386cabf5c6065c8917639cfa1c6c52d94f55481ca6fa29

Download Submit
C:\Windows\SysWOW64\Ggmldj32.exe

Filesize
320KB

MD5
eedc27c3be56d44d3e37b3958309e6cf

SHA1
ae1e78fa9f745d5479927d5c7f2f0f25c05aab10

SHA256
fa1a3bfb5482aaa56b4823219eeadd40b1c8adca112ef116ee0dfeacf2d24c95

SHA512
084476f59773955b0e3afe4bd0232161fde9a55197db37ff5ebbc362bd1bc0b7392422cfa2a0b78ae99e5214b773ac814a32cc5de8fbeeb074a79fba47e4e049

Download Submit
C:\Windows\SysWOW64\Ghcbga32.exe

Filesize
320KB

MD5
468e87262d1ef7b79885d5bc60cc1f2e

SHA1
9b5ee911213f457748a66ccf8baa2514c090ebd9

SHA256
dfb5f3d657daadaf34c2c4e82a13be9ddf68c03ce0a5546dd5f715763c33a4f9

SHA512
23858006f6ee2c707c75ab58d333b85ab904700dfe30058dcdd6a75120637d442d9b4d592a6acd52e03bd0210f398f6f47aeb70134f6c76c40034e110bca6013

Download Submit
C:\Windows\SysWOW64\Gphmbolk.exe

Filesize
320KB

MD5
6b2635933e110bb185184169d5a2d0fd

SHA1
7649fa26a7ef14793ec369c917931fcb6081d286

SHA256
4b23832aefd043b2a263c35bd1a38483f76a344f655e163d232e8e5377c851eb

SHA512
1fd422f109c8e33b8d0f77a5da524fe5ce5c5764efe432a7e1ceaec5369e2b83ea712c5e7387b7855ced9b4becbfc800d63a0797d198193da59a6f2703802d9e

Download Submit
C:\Windows\SysWOW64\Hkdkhl32.exe

Filesize
320KB

MD5
25c252f0a45dc00108a12da02f72a42a

SHA1
6e02035c40cfead69497652557f6836034efb81e

SHA256
d479ee11295594e41556bbcb77bfbc7fbfda331f0c463df58fabffacc7352828

SHA512
7c9e839a62bcaa638a758c9881c8d6e196603ca23bb0aee3afbb7aa1d73c3b71e12a8f29493a7fb1c0eaca0018dfbb6a53ddfb245fbb3fe78ec9bdd3afe4681d

Download Submit
C:\Windows\SysWOW64\Hkfgnldd.exe

Filesize
320KB

MD5
90d005c9cd89055659eb8755cc355e0e

SHA1
7683dd6de1c3be1212ecf114d0be819b48f3b986

SHA256
0e151830d0236a69cf752051d909f45096f9ac9a5b19c1f3cdabd3d1c0f5bdc2

SHA512
ad705ceaec65460c5801c8fed903ada31316bc33bb5ec47a9ff7f95c4198906ffdd95f45e89a75bd11c26c85062929678b0754c5d096d74ef02a4b50996fd12e

Download Submit
C:\Windows\SysWOW64\Hmojfcdk.exe

Filesize
320KB

MD5
4d5de4902abda1e7809afebcdd175e31

SHA1
99e1f6942211cd191c1512a4492b1b7e2f01611a

SHA256
c82157fa9074c96dabe082b873ec8863e27ab60d8a5549f98479654a07d71501

SHA512
624407559d179c233f5bafa725467bb06d9a4c69abd383d979b99dca8174158112b2fa7cfbfc0bfd0ff36a1130ec4e42ba38366f6a58acbcc30007f05767e708

Download Submit
C:\Windows\SysWOW64\Iabcbg32.exe

Filesize
320KB

MD5
5aff978b38b0b80344878153596e17cf

SHA1
4a24e978f46dcc73a6c80c1896e4a5a14bf9b307

SHA256
2e253d00cd2f5e789af25ce739ea3c584038666ce1aedfb5ef9f2654cb97f2e9

SHA512
c5bb64f8d158e6f66a759547c15d27208edb09ade0970ebb6bfa58d61c1c101928baad96074148730f13b29916e9fca01e4fcb7c0a490ad2fb5c98c35c1e9ce8

Download Submit
C:\Windows\SysWOW64\Ijjgkmqh.exe

Filesize
320KB

MD5
5fdf891d2134c1461b413fb5629de1dc

SHA1
64e7e4e50e916dfe0267d4f8d3f8750a97e7ff10

SHA256
f7fe4e0197341b00cb2badc02ccc49f05c46a4bf08ab200f3b3e024f5b396cf1

SHA512
f8ccb4cc8200f0803e12e4e64a5eece977571d31dadd9033ba4531885932f8b468719d2941365b087dc906f36313afad3261bc4f0a2161de757432801218b3b8

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
320KB

MD5
6048c573ff4741a1defa84fb9822f267

SHA1
30ac83cedc41f2e65e82a43621dcbfa144a4b643

SHA256
731ff34fd110308c80e4ca5deb1a3edae796718dc848464de63040c9416315a5

SHA512
bb0cfa059a0d46faaa5d0aa20062e82750e00e1e1928e911c2752aa79ccb3edfbb842d1d6deb0d4d24f35061fdd896b98077c720b397a4890291a07bf6db1849

Download Submit
C:\Windows\SysWOW64\Kplfmfmf.exe

Filesize
320KB

MD5
d0b5c7ee8b0bf90f8b2ad6a526a4364d

SHA1
79d997bfde2274ba3e90a3988c957659f6c5ea86

SHA256
a03688879ed5685844a0d510c112581cbef9b7db31cceb47116ce4c1966ff06d

SHA512
2ce5c8ec5a5b65b4532e51f521c87b4603a949841893ae6b811f2cbb2311273945facffb3a99facfc30fbcd1affcc5ed7a3370b4468f7e1f01c0ebf55fc69a86

Download Submit
C:\Windows\SysWOW64\Mdkcgk32.exe

Filesize
320KB

MD5
b1a22bd292fb1735b12c23b17ae175e0

SHA1
74a49083d2e6f222b089798b531b4adc432faa77

SHA256
92ef08c0ff243150c9d3852a38bf6f4186341b0517580bf7942835827159b6bb

SHA512
90e6182e91a9ab5d997312e13b6a06a32e7dfa6ae954a0b2b9142de424b21ef3497d136ff2af829275c5622c3cefe22807170063cef8ba2d584003264ec1b74a

Download Submit
C:\Windows\SysWOW64\Nqbdllld.exe

Filesize
320KB

MD5
b98fc504709623b2ca79ae4fba48fa65

SHA1
ab632f3747b6ad6d6aaa0191c659cff6cc5b58f5

SHA256
60850b87b9a247b1c44c6588367865161aa618cb03a5d37f016a39d45af3f233

SHA512
fd09be42007a6ffaa8cf821ee6a1b65ac4a9c4758fea2ab3ffdd5a7e2a7c70dba8eb968426569421665498b8ec6ab731fe5969ccadbbca22ee2950ee1a952bca

Download Submit
C:\Windows\SysWOW64\Obopobhe.exe

Filesize
320KB

MD5
c8905b4b57b29c98e35b1366d0b38a3b

SHA1
8a2723904a0d66c3ef0cba698bec0a91660b0544

SHA256
abb1b81b751ba273cb912a9602c59b43f2fc98b325eca17132e9475438f88500

SHA512
a7892bfc76a0124a4e1e216509b79fb01d440c05bc458c282fa4b9c3c293a354060cca910d01f89f2b1c88a53539b1c1341eb0cf893c12a92a1c0bffaf4e4899

Download Submit
C:\Windows\SysWOW64\Oiglfm32.exe

Filesize
320KB

MD5
95f4468129d61f8fcc8ee5a484bccfc0

SHA1
fc0c905ad98e43ed289ed4e5126065d7eea0204b

SHA256
f7464ea021ab29d8e16e7f510938bb6d72790bbe10916df4ecf7c5f0eecf1d7a

SHA512
784759404c72b563d3ee06ad55392a391985b03d2db317d45ccdfcb637381990cb20ea51e4bb95bcbd34ca5bbbcea5a4670aba2e72e28caea945806fe309a1ab

Download Submit
C:\Windows\SysWOW64\Qoopie32.exe

Filesize
320KB

MD5
ad678d7b665d240cd45c8508895cc3a1

SHA1
7a2108d8eee5f026eec4b1a3c14d9f2e43456f42

SHA256
858f2c4bdfa92041241d1ef8fde71c4d7a2ec9fddb6a690afa25bdd960b9339e

SHA512
a14014a765717064c19574c5e4bc6c4d7a39e7928079541b1fa94496e666da1d0bc5e108e6c78ec3414c0ecb7b7d67fbe5d2bc4f0b62cde349bca46f65b9c1b2

Download Submit
\Windows\SysWOW64\Jhgnbehe.exe

Filesize
320KB

MD5
dd4890fa73af9fc11907ba96a46c2dc4

SHA1
dae983f4ab8080397e45af174c585b91d0134dd2

SHA256
eb155a82f47ec494f56283933354d7be3e626f8c38b8b27e274cfa16e2fd6a08

SHA512
128f4a13394e2f38b9d080651740e8eca198d150fd8c2bc153889857fd45503b0721307ade6f3fea3735225e7dedaceebb025eddab478d771768f0cdfdb80b31

Download Submit
\Windows\SysWOW64\Kghkppbp.exe

Filesize
320KB

MD5
ee1561455ad3c9a7f2f778ad5081ba9e

SHA1
fac66cc724d7e0fffaea3d0a63412dbac45da000

SHA256
f95e168919b506e9cdf7cc95f034e1f4faa04600dcc8ae71ce343faa83ce908c

SHA512
62081237b3e0fdad6038ba6189c33b67515510f0c62029d975e6243d6faa7ea0b1978e658cfe2d40caa55d0502864269531efcc4444a17a7f2a2dc75e87fb2d9

Download Submit
\Windows\SysWOW64\Kpiihgoh.exe

Filesize
320KB

MD5
80ee804fb9a76c31706c377814e93c7d

SHA1
c0ff7b6cbcbd5f2537293d34cb19eaa2a7cd368d

SHA256
1b478762874d56cacb5734f12b1bc7467eeb946dc0a909b5cf8395f093b83d73

SHA512
079ec61f523d4dbbe50cff0c7b92dd62272a94ce31d3840f0f2bc875b27b81fa7c4585d55583ad8e9cd12d5f9d5299cf6f5edf79e528f1c9f3857d97fd14b2da

Download Submit
\Windows\SysWOW64\Lgjcdc32.exe

Filesize
320KB

MD5
6167ba55829af9c257dde301bab7b05d

SHA1
40bfeba04a9f1afdb4f5d00897eb9a3a1dbff256

SHA256
1d0749d67329069ef3318f19a2f2a5995fa4a307ad499d1bc39cb654c01a548d

SHA512
073258aa4cf6232aa9af9673dc0b9f62635033d885604da3abeba6d51e5e4dd62f2b6ec6d4e9ec5de058d5439217c840d7656523347a39aaf7f42ceac4dd9d82

Download Submit
\Windows\SysWOW64\Lojeda32.exe

Filesize
320KB

MD5
ba3ce856e2d4b521c809d7bcc16813da

SHA1
c5b814c48eb40bbba9734456c87443cfe1c14b36

SHA256
de5eb6d32ec9e4ba3965bf22e3ba54371e24f8b7b50e3a51618ca2e061f7b01d

SHA512
c9f27ce005b0224b9e457f179499213c71dac2cf14574cb457cd0dd1caffae648ff35589af3422dbe410d5a2f447aa7f3e90d9fc0b818380e9bef7a9e04b5164

Download Submit
\Windows\SysWOW64\Mqgahh32.exe

Filesize
320KB

MD5
ec4ba4e5cc2d2502b5a24d6ec18cba26

SHA1
bae8788aeeb2eb0ac4c32eb34175dea6bcd7286e

SHA256
a837b9c891fe90a283e317bede52b7de7a588e6cdb475b97f9fef74242090444

SHA512
dc310c82afddb2a27d337b2f5a5f01c5f5a203afa5991bd42fb6ad0e1eed5c4baf7e294bacbd2859b1729503fc668bdb14e5efdc477ae718899248dd50d9e53b

Download Submit
\Windows\SysWOW64\Oedclm32.exe

Filesize
320KB

MD5
78d3310148820d68ed782e9a8a984855

SHA1
4727def0163c3925c10e70c3f0cf7ac3f5f58bcc

SHA256
0f50d03e7f2a8fe25a547fe6d30aec4d6f5b412a1c32b2c7e16cd713baf325bb

SHA512
bbfdba32e2cd8f84aa0920648c847820fac6f6cab7d4f3164969468241206e2750a6b9866fccda2c42bcf09695f08eadba6f641829d4123769371a0010e8e400

Download Submit
\Windows\SysWOW64\Pjfdpckc.exe

Filesize
320KB

MD5
9de69b77299d2b95886e353d530f329a

SHA1
89413f8b9c986d51bc9b18b3051c0c4fc2ed8c52

SHA256
411927e2667b745543efe3fb4708edc75ee06d21905ff7bc6b2dea99170763f1

SHA512
f0cb5caa88994f038abb917f095bd90315130da9d479bfa82212bf6cb9d80bc777236bb2be4f5e68f48046d88d373976f0118d232dafe5aca81a3eaa7afbc380

Download Submit
memory/368-208-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/368-220-0x0000000001BA0000-0x0000000001C15000-memory.dmp

Filesize
468KB

Download
memory/368-222-0x0000000001BA0000-0x0000000001C15000-memory.dmp

Filesize
468KB

Download
memory/392-17-0x0000000000300000-0x0000000000375000-memory.dmp

Filesize
468KB

Download
memory/392-457-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/392-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/392-18-0x0000000000300000-0x0000000000375000-memory.dmp

Filesize
468KB

Download
memory/640-259-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/640-266-0x0000000001BA0000-0x0000000001C15000-memory.dmp

Filesize
468KB

Download
memory/640-262-0x0000000001BA0000-0x0000000001C15000-memory.dmp

Filesize
468KB

Download
memory/696-254-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/696-255-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/1076-248-0x0000000000230000-0x00000000002A5000-memory.dmp

Filesize
468KB

Download
memory/1076-238-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1076-249-0x0000000000230000-0x00000000002A5000-memory.dmp

Filesize
468KB

Download
memory/1484-440-0x00000000004F0000-0x0000000000565000-memory.dmp

Filesize
468KB

Download
memory/1484-423-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1484-497-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1484-443-0x00000000004F0000-0x0000000000565000-memory.dmp

Filesize
468KB

Download
memory/1576-335-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1576-337-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/1576-345-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/1656-297-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1656-296-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1660-411-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/1660-406-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/1660-401-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1676-95-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1744-178-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1744-187-0x00000000002B0000-0x0000000000325000-memory.dmp

Filesize
468KB

Download
memory/1744-562-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1744-197-0x00000000002B0000-0x0000000000325000-memory.dmp

Filesize
468KB

Download
memory/1984-149-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1984-162-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/1984-176-0x0000000000320000-0x0000000000395000-memory.dmp

Filesize
468KB

Download
memory/1984-546-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1996-469-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2000-290-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2000-291-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2108-108-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2108-551-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2148-68-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2148-54-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2148-555-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2216-232-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2216-239-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2216-233-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2236-206-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2236-201-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2276-333-0x00000000004F0000-0x0000000000565000-memory.dmp

Filesize
468KB

Download
memory/2276-334-0x00000000004F0000-0x0000000000565000-memory.dmp

Filesize
468KB

Download
memory/2276-319-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2300-450-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/2300-449-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/2300-444-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2324-317-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2324-318-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2324-324-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2348-470-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2348-481-0x00000000006F0000-0x0000000000765000-memory.dmp

Filesize
468KB

Download
memory/2408-362-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2408-357-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2408-363-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2436-276-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2436-277-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2436-267-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2456-364-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2456-373-0x00000000002C0000-0x0000000000335000-memory.dmp

Filesize
468KB

Download
memory/2456-374-0x00000000002C0000-0x0000000000335000-memory.dmp

Filesize
468KB

Download
memory/2508-412-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2508-418-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2508-417-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2544-298-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2544-307-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2544-308-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2592-94-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2732-75-0x0000000001C30000-0x0000000001CA5000-memory.dmp

Filesize
468KB

Download
memory/2732-80-0x0000000001C30000-0x0000000001CA5000-memory.dmp

Filesize
468KB

Download
memory/2732-554-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2740-384-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2740-386-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2740-383-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-559-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2836-52-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2836-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2860-355-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2860-346-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2860-356-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2876-385-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2876-395-0x00000000002B0000-0x0000000000325000-memory.dmp

Filesize
468KB

Download
memory/2876-396-0x00000000002B0000-0x0000000000325000-memory.dmp

Filesize
468KB

Download
memory/2892-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2892-32-0x0000000001C70000-0x0000000001CE5000-memory.dmp

Filesize
468KB

Download
memory/2900-183-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2900-163-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2900-177-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2956-121-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3028-451-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3040-441-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3040-442-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/3068-148-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/3068-147-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/3068-139-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download