e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe
Size

128KB
MD5

da4d7fc108ff1a776052fe37876dc318
SHA1

10f2d01ca106bb7dd81726681a6a9a42c28f1fcc
SHA256

e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d
SHA512

17185cf9bf1e412306a569f4dbf951d289d40db97f5c8ff542271ed426c865b0f7eb11cdc8574647c9ee1b21b3defb137e2c9593f6674e2a6952970f18952415
SSDEEP

1536:J8kPA9jsWCNz2zQSui62tHMnVT38YkGrR2EznYiGzBn2rq15bLSwiHr/:J8V9P7uItqx8arsEznYfzB9BSwW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimekgff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfoeega.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaedkdp.exe

Executes dropped EXE 64 IoCs

pid	Process
4848	Hkdbpe32.exe
4936	Hckjacjg.exe
2776	Helfik32.exe
1192	Hkfoeega.exe
3696	Hcmgfbhd.exe
2760	Heocnk32.exe
64	Hkikkeeo.exe
3452	Hcpclbfa.exe
4228	Heapdjlp.exe
1804	Hmhhehlb.exe
5076	Hofdacke.exe
448	Hecmijim.exe
972	Hioiji32.exe
1592	Hcdmga32.exe
400	Hbgmcnhf.exe
4544	Iefioj32.exe
2712	Ikpaldog.exe
928	Icgjmapi.exe
4112	Ifefimom.exe
3160	Imoneg32.exe
1588	Icifbang.exe
4292	Ifgbnlmj.exe
1596	Ildkgc32.exe
3780	Ickchq32.exe
3964	Ifjodl32.exe
4192	Imdgqfbd.exe
920	Iikhfg32.exe
2236	Ilidbbgl.exe
3952	Icplcpgo.exe
3760	Jimekgff.exe
2984	Jlkagbej.exe
4364	Jfaedkdp.exe
1452	Jmknaell.exe
3440	Jlnnmb32.exe
2244	Jbhfjljd.exe
4720	Jianff32.exe
3020	Jplfcpin.exe
3764	Jbjcolha.exe
4892	Jmpgldhg.exe
3516	Jcioiood.exe
1336	Jeklag32.exe
1204	Jmbdbd32.exe
412	Jcllonma.exe
1808	Kfjhkjle.exe
756	Kiidgeki.exe
1720	Klgqcqkl.exe
1644	Kfmepi32.exe
2740	Kmfmmcbo.exe
3888	Kbceejpf.exe
1568	Kebbafoj.exe
4876	Kmijbcpl.exe
728	Kdcbom32.exe
1340	Kfankifm.exe
2864	Kmkfhc32.exe
3876	Kbhoqj32.exe
4276	Kefkme32.exe
4240	Kplpjn32.exe
4772	Lbjlfi32.exe
2012	Leihbeib.exe
4552	Lmppcbjd.exe
3260	Lpnlpnih.exe
4520	Lfhdlh32.exe
1988	Llemdo32.exe
3756	Ldleel32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ikpaldog.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Jlnnmb32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ipdejo32.dll	Imoneg32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ilidbbgl.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Mjegoo32.dll	Hcmgfbhd.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ipnjafgo.dll	Hkdbpe32.exe
File opened for modification	C:\Windows\SysWOW64\Hkfoeega.exe	Helfik32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Hofdacke.exe	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hcpclbfa.exe	Hkikkeeo.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7228	532	WerFault.exe	299

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilidbbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpclbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcdmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbgmcnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecmijim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hioiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jeklag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 4848	228	e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe	84
PID 228 wrote to memory of 4848	228	e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe	84
PID 228 wrote to memory of 4848	228	e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe	84
PID 4848 wrote to memory of 4936	4848	Hkdbpe32.exe	85
PID 4848 wrote to memory of 4936	4848	Hkdbpe32.exe	85
PID 4848 wrote to memory of 4936	4848	Hkdbpe32.exe	85
PID 4936 wrote to memory of 2776	4936	Hckjacjg.exe	86
PID 4936 wrote to memory of 2776	4936	Hckjacjg.exe	86
PID 4936 wrote to memory of 2776	4936	Hckjacjg.exe	86
PID 2776 wrote to memory of 1192	2776	Helfik32.exe	87
PID 2776 wrote to memory of 1192	2776	Helfik32.exe	87
PID 2776 wrote to memory of 1192	2776	Helfik32.exe	87
PID 1192 wrote to memory of 3696	1192	Hkfoeega.exe	88
PID 1192 wrote to memory of 3696	1192	Hkfoeega.exe	88
PID 1192 wrote to memory of 3696	1192	Hkfoeega.exe	88
PID 3696 wrote to memory of 2760	3696	Hcmgfbhd.exe	89
PID 3696 wrote to memory of 2760	3696	Hcmgfbhd.exe	89
PID 3696 wrote to memory of 2760	3696	Hcmgfbhd.exe	89
PID 2760 wrote to memory of 64	2760	Heocnk32.exe	90
PID 2760 wrote to memory of 64	2760	Heocnk32.exe	90
PID 2760 wrote to memory of 64	2760	Heocnk32.exe	90
PID 64 wrote to memory of 3452	64	Hkikkeeo.exe	91
PID 64 wrote to memory of 3452	64	Hkikkeeo.exe	91
PID 64 wrote to memory of 3452	64	Hkikkeeo.exe	91
PID 3452 wrote to memory of 4228	3452	Hcpclbfa.exe	92
PID 3452 wrote to memory of 4228	3452	Hcpclbfa.exe	92
PID 3452 wrote to memory of 4228	3452	Hcpclbfa.exe	92
PID 4228 wrote to memory of 1804	4228	Heapdjlp.exe	94
PID 4228 wrote to memory of 1804	4228	Heapdjlp.exe	94
PID 4228 wrote to memory of 1804	4228	Heapdjlp.exe	94
PID 1804 wrote to memory of 5076	1804	Hmhhehlb.exe	95
PID 1804 wrote to memory of 5076	1804	Hmhhehlb.exe	95
PID 1804 wrote to memory of 5076	1804	Hmhhehlb.exe	95
PID 5076 wrote to memory of 448	5076	Hofdacke.exe	96
PID 5076 wrote to memory of 448	5076	Hofdacke.exe	96
PID 5076 wrote to memory of 448	5076	Hofdacke.exe	96
PID 448 wrote to memory of 972	448	Hecmijim.exe	97
PID 448 wrote to memory of 972	448	Hecmijim.exe	97
PID 448 wrote to memory of 972	448	Hecmijim.exe	97
PID 972 wrote to memory of 1592	972	Hioiji32.exe	99
PID 972 wrote to memory of 1592	972	Hioiji32.exe	99
PID 972 wrote to memory of 1592	972	Hioiji32.exe	99
PID 1592 wrote to memory of 400	1592	Hcdmga32.exe	100
PID 1592 wrote to memory of 400	1592	Hcdmga32.exe	100
PID 1592 wrote to memory of 400	1592	Hcdmga32.exe	100
PID 400 wrote to memory of 4544	400	Hbgmcnhf.exe	101
PID 400 wrote to memory of 4544	400	Hbgmcnhf.exe	101
PID 400 wrote to memory of 4544	400	Hbgmcnhf.exe	101
PID 4544 wrote to memory of 2712	4544	Iefioj32.exe	102
PID 4544 wrote to memory of 2712	4544	Iefioj32.exe	102
PID 4544 wrote to memory of 2712	4544	Iefioj32.exe	102
PID 2712 wrote to memory of 928	2712	Ikpaldog.exe	103
PID 2712 wrote to memory of 928	2712	Ikpaldog.exe	103
PID 2712 wrote to memory of 928	2712	Ikpaldog.exe	103
PID 928 wrote to memory of 4112	928	Icgjmapi.exe	104
PID 928 wrote to memory of 4112	928	Icgjmapi.exe	104
PID 928 wrote to memory of 4112	928	Icgjmapi.exe	104
PID 4112 wrote to memory of 3160	4112	Ifefimom.exe	105
PID 4112 wrote to memory of 3160	4112	Ifefimom.exe	105
PID 4112 wrote to memory of 3160	4112	Ifefimom.exe	105
PID 3160 wrote to memory of 1588	3160	Imoneg32.exe	106
PID 3160 wrote to memory of 1588	3160	Imoneg32.exe	106
PID 3160 wrote to memory of 1588	3160	Imoneg32.exe	106
PID 1588 wrote to memory of 4292	1588	Icifbang.exe	107

C:\Users\Admin\AppData\Local\Temp\e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe
"C:\Users\Admin\AppData\Local\Temp\e5da68bb9a820be0162b0d80568c8a3644f95021ce8d96f4c5d5425f4a124c1d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\Hkdbpe32.exe
  C:\Windows\system32\Hkdbpe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\Hckjacjg.exe
    C:\Windows\system32\Hckjacjg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\Helfik32.exe
      C:\Windows\system32\Helfik32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        24⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        27⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        32⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        34⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        37⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        41⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        44⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        45⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        47⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        48⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        49⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        50⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        51⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        55⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        56⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        60⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        61⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        64⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        66⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        67⤵
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        70⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        71⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        74⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        78⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2636
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2312
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        86⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        87⤵
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        88⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        94⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        96⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        98⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        99⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        101⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        102⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        104⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        106⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        108⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        110⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        113⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        115⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        116⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        118⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        119⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        120⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        122⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        123⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        127⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        128⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        129⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        131⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        133⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        134⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        135⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        139⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        142⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        144⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        146⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        147⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        148⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        149⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        155⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        159⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        160⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        163⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        164⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        167⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        171⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        174⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        178⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        181⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        187⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        189⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        193⤵
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        196⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        198⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        199⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        201⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        203⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        205⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        206⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        207⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        208⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        209⤵
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 416
        210⤵
        Program crash
        
        PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 532 -ip 532
1⤵
PID:7200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
128KB

MD5
cdd123ca15d52da56eed8067b9a0ad33

SHA1
eb7204b9d219b7e8352137b15b12febe731db2d0

SHA256
0f0e521050d812c9c0c22daf4a5bf2ee0fdf487748186b28782d1e0d279ff022

SHA512
ea1bd740a0be008e3150c79b6ecff61f3f7f606970873846219235c05dd5eb85356c4421bc80e0fe0e08db472fad9bb0e66a842b019b795bf1c8bdc480fbc22d

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
128KB

MD5
d8103133bd9d8dab06cadbeed188f91d

SHA1
e939b9b52dfce09e5de57aa917ca4eb1ae0cc4b1

SHA256
4f3a80757053cca0dc88deb7bd09e2c83ea05bdc0d6de7b7feae83103382a680

SHA512
3898c6649e687450edfbae585e470b4e7b31b98d4dc480925507f1bf1b3fc8e5c2f0eb9d31df8d71141c6b717eb459658dd02886d0250f5b0b8fffbb0063c940

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
128KB

MD5
7cf30daf68ca7605dc5a7fa32c4feff9

SHA1
adfdd4ad87f4938525737237acca201270e5ce97

SHA256
3bbc6827e6da3d5b789bb3a68d74139e4ce9271cb517d0e55d6bb00f418e32ed

SHA512
aa94e7c6f09f0bf164da212c8ffd05b2539fee24ff1e08454284ac96b973e7a78120933f333205bd45a9eeb087bbbf5561d2d5ccb850137dcf2d72810daa649f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
128KB

MD5
b55b48bdbc4aade13f5af3fd1b4efbb9

SHA1
f560cebc9b86591eef43f64f59dd0e2bd254152e

SHA256
da4600db1c68558eb6dc87a16a36e649430c5e324aa4816e7f02d8b9f6f91220

SHA512
0d9b8e8e63140fd60d3f7fa99fff5b4c6beb19e8caf351144839509ca634732865e4440b7a2585901b8090ca32ec61482e6c203959c2c533a0fce6bf703081c1

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
128KB

MD5
7de67d9b622bce8f0e7595cb4270fdf4

SHA1
db77a6ba3637dfb9e7df0660391f99ffafd6a033

SHA256
a950a4c348d95375a46cc24f36e551bf9ad92e91404987ceeee61df0188c426c

SHA512
96863085abd3be24a2f08ca1c8bf37142569f5db37106f517ad492084df5a67c26596b8c8d9ba6ab3bebb2748879bb643c16d95664777de8c61f18b3825507be

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
128KB

MD5
b28e1cd0ee173e1d657932db0fd46654

SHA1
ccc695fa770513da15900ec77dd4d46fd0019b75

SHA256
8133a45d00f40be86128d3ca7366c341605073f48acf5c0013572eed30cb0338

SHA512
e7d1b4feafd87d32bf8c83a3b3df6e37596067020dacd132a5b68ffee505652490fea89a4a4e541d48e667b50eb737935401c09e41994ef8dd789c3d4a74fee8

Download Submit
C:\Windows\SysWOW64\Ciglpe32.dll

Filesize
7KB

MD5
c1c3167da8ae25ea2a241c4f50dbf20b

SHA1
d50042d05d74a176912470454519a991c50de8b8

SHA256
93c70a9b558500303d35261f346fb3583a02f9316f0a86d7fbc32599d502330a

SHA512
7a1c05c842ffc682cfe37e865e0120c4e3c3b0b499bc3879b4a73958d0a1d944b693a50a948fa3ee4537e0654552194dff4f7a0d8c03bea0f952f5b538f3b4ca

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
128KB

MD5
543381fc3595c19dfe9a402f53918fe7

SHA1
1b2c79c168c9f742dbecf135225d8d3d7b1a923f

SHA256
cc6f3683dae3959f6b6dbe56f59184fc831013f433d2490f7c62cfa946554d87

SHA512
99bed100879840fa1493db3a9a95f0b631a86b0ea49d158632092e6c064abc400e0c5ad1abf1229683d6df7b82dee22163a2a76b79441e51e0eff0830c76980f

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
128KB

MD5
df9502a95b7e4e739b79f9d72b13eafb

SHA1
cf1cc6cf0254ec4b6b3aab18e5d5df20e33566c4

SHA256
3a405a9d47d3e8bf55333e7e29ec8da8891d29466f854f5d6e8a1d55679485a6

SHA512
69447b5d451efeebe987a0c683ee4119e243ee2ba2b39cbe64e816d1f382338a4fbeda423cfdf72933c7d2201691ed0af2bf30f4d1c1df1f9c1b5abf70d93df3

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
128KB

MD5
a0fff7546d9ef2050888ab44422353c1

SHA1
81ddc5388613c09e9229aa23b49831bcf5d44db1

SHA256
6ac569a6dc3c05da0d37fa0ae986cb77230de22d5b8d11430ae7958e48335a2c

SHA512
92b4f8bd2d1ab487b385a10ea9671ddbbb8152cb432705f019bb3eed898f22b043c1d5bb4f95f3242ca317fb9f84dda7401826bf3fb3e5f7ed17dd47fcbd8e58

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
128KB

MD5
5648a977de403a4cc03abc3691b13469

SHA1
3395ea3026a8245cef678f35439e6a5e02c51036

SHA256
a57654868c464627a3c84b60c350b6d4a5d5d8e2daca9bfe62e3e121853f2a43

SHA512
5979e51ed0565f59ce9a65c7d620a1edf610f6f749b0c3ba8cfb7291d4e0548ea5e72d90020e50e5f5c1d5e2fc9831e2bec9cf3eef773f97d62a1a2dfc7f6d05

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
128KB

MD5
2b1523cc95ee245aad6cfc5bac807aa0

SHA1
2304df9371c580e54078b789dd0e74041d2576ed

SHA256
569eb76526fcad6ae4d139c7010c366d7face4e5b4e0ebd03a4fa0a3023383a4

SHA512
ea251709d9affb83aefe90fee3d1d1d4a4aa7ba85767a0e7209c1e6a3d54838ee3da19fd2ef9f4c89778fd1b962c6dd5c9534a0d2c3da869e86b62921b3764e0

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
128KB

MD5
1ae29d68615f2b47cc48e6d9516dc53f

SHA1
2ed206b7e6094f347f0d745971d94d708745e74c

SHA256
20566c3a37206c8cbfb05ce9862ee7fda35c34f0028b48862c54975b3f268f4f

SHA512
dc7d017d473f0597ad501a27f9e75ecc50b24dbbac6b10b15860b4980861e1fe993ad1ec18f30e2af4ee2ed8ea4703176617857a932d9a8a62a05a2866bad9d3

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
128KB

MD5
20cebac65aea728c472ad6721bb7bb4b

SHA1
722a2ee738d1d7ec5287ec6f6e131b9743ae4d53

SHA256
3271782b94364cd6d10050b1263e7dc9ff13da4d9fbf802f07bb0f3f07745aea

SHA512
f7ef5b890db01ff5e71432a15be95bd78898ba38de8ea3175991ca92c6cecf33f943e2afc8c2fcd91a686986675b20ea663b63126192cc32b437c0ce9610f98a

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
128KB

MD5
8dc78706e68eeb84b8e8627dcc6a7025

SHA1
922a292773baf2eff92a5709cd877e2fc5741e26

SHA256
f42f48c0622886e6c84cd18d9227e01820180b0e98ad84fc6b0e0dc8183f25b4

SHA512
43c07610d0e665da9671fd9526272cad5c4452a890e180581793ecf9158ff2f5e40404d66dd648fe32c02f998d69ecd30b28cefe86c0b805ac2a051fa2edc05b

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
128KB

MD5
010311f1290f51c2431b78ab94b78494

SHA1
4cd069813be28c136426749c765c1348bc24748e

SHA256
1cf0d97364c2f99f3854f9319505c771fe5ce641169d22f29024638ab2372e70

SHA512
c85598f407c035fa967c2d9e163cf3878dbedcccad3e98c9ee69a2ba521f2d8070e269112f91cc3138aef274eb9f7c8d99e4971c4f3b73be356b6432425b74c3

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
128KB

MD5
607fa94531167e99eeaf12b21547cdc8

SHA1
c80dcea7a542e19395a806bb60cd2dd9a1f0a0c1

SHA256
702977ede253f1db5f566f206aa6dcd37493a51ecb776c97ec334ddebdbc4f18

SHA512
41493d3d49e2ce2682959b8ef9b09e8c3ea465615833fe2ddc476e475ab960a2f33f48ea322bd087e72905fa5925995fb72298f1296f60de43e6317bacf6e429

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
128KB

MD5
2ef3e9934400e11a18875647e4148e20

SHA1
17cefe6acc6c1604d387dacba42dd1a0c02ccdf8

SHA256
9e25e06b13e218ce7bca6e2df95d3b77396c988f1faac60a92c7e4bf87901f9d

SHA512
37d5fde24574cb2132f8e0e4af0b1d2386db27483cd0313a7a96037af22c59993a0077a46cefe90ec61f1e8eb14d5fbb81f6bdfd5fe4e0d89468c4185d3132ff

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
128KB

MD5
6327f845eaa112e1145c31e4b5f00156

SHA1
fd0a4d31bb3ce72f73ada25d687d2dadf6895ca8

SHA256
cd810e00d4e8e301c15db284b1096b57612f4974feae424e3d626b6b89aa79fc

SHA512
3e6d21a9fd61452a0a06d66d2f512e6386df57673f1b3f691ddcdb890758caa85e7a70b6739c4233235086b45eb7512d1fff1196f31f7e6b6a4f25b48e36e084

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
128KB

MD5
649f7fd33c97494ae2b3a49c06183a62

SHA1
abd749d858f19edb252a3e8ea574c80b0013d9b8

SHA256
10876928edea4e3f8a9d6175b7d89584b1c6b73cf4be3d754ac926020ea6e64b

SHA512
4ac22b4ce7719564bae243e0cae17cb996073be079945e47b5063cd7da1004adaa5d5c86d49401a9fa0e3033b6af662ff745bf823dfe2ca4de5c1c1f8a5e1cdf

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
128KB

MD5
a5c4caa9269998ffcd2f0c42be888033

SHA1
444db1d1e3e95ed279f23cf9368328771f8503a0

SHA256
f475bfb8407e87a6c8e2bfbefad8cf2b0cd8da10df4810d70bf2517155db9a85

SHA512
5f1c8c0b4c70de34756963441e27906141c256e5bedde1df0d1f92ab0c78aa3f0a500ca0265ed5dcfca0c7e32c8accc799bb4065035035d6133d1abd09d4a854

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
128KB

MD5
f8c137fb776fcae5649b983b1f9c28ea

SHA1
7b002330987f85df549477c7553afebbc6dbc9dc

SHA256
4c1a3284cfbe9db35a03f1ec426f501790bc6ed5eec17585e89b4e73a16f0b62

SHA512
60ab198ac7f6fdf23b23435c213a5129ba87447e8f8ea374ac8b2ed5ed148ac6dac5c15eeaf4626a296c13b3096be3c934cb010438853a197655bb209019978f

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
128KB

MD5
9dd578ea14dac663e71dae17ce9faecd

SHA1
3177075388ef2a68b2a543e8a1e138c608c61c95

SHA256
6a03a11c8b88d8542644a2e6c712e49769b57bfd4eeb6ea6789de320a42ecba4

SHA512
ce3ad332e61b335148efd02316d2ca67b3287b9f6385f5b8578b4541b00d04d890695e25123b2bf4379dc5e4c57e6f8531dac3b35b66eed3ba1517cc57bf6d07

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
128KB

MD5
1494ae90c3d4d466b7837b8b83b9a7dc

SHA1
ee247989ed31592f5ced3ae0431a3ec83e141c0f

SHA256
01607baff87dc623a4cb3f63dbeba8f056f47f001a2f380829728c8fcec03721

SHA512
0ab86a8661ddabed106da338ce8a636c5f8fc5fcee31355fb8d392d149616c02275492b17d6fd1ca3243744b5e5d2dc7be5ab7cfa45ec0f9f9035b151fd67f00

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
128KB

MD5
3e351fca3490803e0b75329614fcbe51

SHA1
6c77f231edf6d078d954f5b89dcf2d7da77f45c7

SHA256
368d345c260799f201c2d7209faa339b16760dabfe0507021ccfcb53433a1240

SHA512
4493bec50de25d7a59fe14d780d382e5cd16bff0c05389dd3a411f0410c3cc5be1a6c3532838978571dad82773543e62997eb02c949520afcaf159de741956c6

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
128KB

MD5
6ddb0d35f8000f17717b2f78779b4aab

SHA1
99453bf683fdca4f3dc334501f7d2a3d5a2fceb4

SHA256
fc831e8401ba1f6520d25ad4d134b2dcc317a9b1aa1ed0ad76e0015895dfc0c3

SHA512
6d305b266c7741049445be3941ca603fe90eb9929af57b6180c16a4c3a66782b210e57b94c9bf387846796a0f2e5535213de52d8308e7a1171f07a8a9ba9d015

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
128KB

MD5
86f939859e714c62fe4e70b013a3027d

SHA1
0b8353a05e086c4499abc7ec355826aae2334300

SHA256
8cd562902cd822aa1d0d5b583519600b3d4584336531625edf3729508b0de746

SHA512
e5b04c8725bf32fbb49432da95b26a69b2953496ad2cd104285dc9aa74f6eaf15ff39de762c3af198f3b22a60d3e0c6d5ec82ce6fda79df19a69319697a5d4f0

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
128KB

MD5
75bee9f303dcc5a169faf110d7b9dd2f

SHA1
df00f5f634c05577354895e91dd76187852a3751

SHA256
093a7bccee1ff18879b6e0843c1eeba432f3c2b9e60300a3840ac8cf6950102f

SHA512
b769a51366ef161cefa81c9bb2f7fc710148090b2d5a0ddb1b82c56ebdf93664313db1b38f29ef83b00598fe09325462323717aff4f6b7b0bb128ab4bda6d781

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
128KB

MD5
1fc2310ebc57de8fa5d8f46d86980e9d

SHA1
d511b71b4ce3f063ce88beeb34bfa9d5653cdf68

SHA256
84fe88dd6952fa1d1ac8127af00176b795260e35dae53d04de1758934bbaf162

SHA512
6cd67db25808a103192636ad87723ae0cb4e38d2e03b2bf0debba9a402f47d660c1f390911d4ac4fbecf3971917868cfa1050d420ac38bf81d5c7042fe3a312c

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
128KB

MD5
bcc008cc09ae416210d839da216f5537

SHA1
eae21cc32018281d4a5fd5bdeef8fff18745d676

SHA256
25ae1d287d99f1e01bdae5b989738e874a3e4201639cd8de8456abbcee33c9a0

SHA512
1956e7b2e7a0d3ea5425293e5f9bda5ba3cb282283e77d60151baace065f1a7fc8e796d5ec2fd068a607f66330ccb2bdca42a1f92694e83510f17fc9b57681ef

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
128KB

MD5
b4b7bbddeb909c8b27b0f2490d37c659

SHA1
f694fc2af9544a72cb6e3e5eae5a7ed1acf97b62

SHA256
514e17b9b79d2c376a5cf8078aa7d1562ecaea29e846847588c547a969ab7bf1

SHA512
037d510f9c279600b2bd4e26c815b47afabace15b19e47f35b83a9f9f82211e2f6f143c93378fd1588597ab7ce9b11f2acbab88bfd531a6fddef465057ba973a

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
128KB

MD5
66d867d00a1cf556dc93830f6f4775a0

SHA1
399f8ee8348fa15ce40fb222fad0cc697ce182c3

SHA256
e9e789d6ff388357b8029b15e5e80c96285f0aeaf91a69ac3d1b3c257c9e4125

SHA512
bc3beb74a7019616a206641a3d764b2c46568e385f51f87b8d93ab3fc1ff68fdafda5547837ab9b4952714b9debbd6d58c9c0030f38676842e04a6462a54d5f8

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
128KB

MD5
6418d94ee786c6469c72df39b5b3b2cf

SHA1
b31278740559adad1e565e4c24676a9c06a20fa3

SHA256
9d96cd50d2e49c09c98257707dbe8336aee67d595b642261c8285f79482d9fb1

SHA512
151163bddaac6521ce1ad6df3f990d6249b35bf27616051afe1d052edf3dae91070602e1758c9eb27e6af4260f483169fee2d893781ae71d3b68d410b8887831

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
128KB

MD5
f65669ccd03b12ad3f66a4d832073e0e

SHA1
b098a3323482b0398e89a67a70aaa98ba2ef95d3

SHA256
e6f27909934437c7aed2fded9c36449dddf9818d629e57367ab09c9e16dcfdd5

SHA512
98fa6b663f1a47983f1d639fecc5427819b3a6b80c81d636e83c8506172aec5bb6e12a382c6651b98cd6a829a71e7e3de1ceee8640c4fee6f1925bfff98eaacc

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
128KB

MD5
4b655024170555c5f50ffc2d0649ff69

SHA1
9d938b7464ca886d50f64e6b248847c103413ed8

SHA256
7662da7855b51cda8b2a5f9e8826ce7e313ce593e82baa2a1f780bde5056f64b

SHA512
fc089c48d01cae9d620b0155ce226a91ac92c5dd5336c92e4c3870a6bc0ba76602a0614cf0383035cac6fbacab1f14a35db9e0f4ea6a289473dc9707f479e44e

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
128KB

MD5
71394e9d60f3cdb92d2c50fd34d0120f

SHA1
8b61199edef4ef4e43844b9b69a20b24284b5d87

SHA256
db6cffc53391ec564a98ce64fc5bfcdeb94544cc6b84564edbfca42b598d6cb5

SHA512
a5170fa3d11396cc2c0e8c7b53f9894f5bc0e30cee291c7ae188d5abf068cdde77a3aaf5f1d67d6e289e4f8b86046134e81159fa4da56dba654ce6c6e78a82c2

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
128KB

MD5
b399fed445d6d6e0c40b74f3d2c1a61e

SHA1
20e135365908e27abc92a0cd20e0166301fda480

SHA256
8e0f336b4d54af8c872110e56cea17e6bbd99b28fae1c6a76bcda1ff8cc048b1

SHA512
29de2bda2f468827f03ba3462efb1502ff13f2ec0e9b40900a7b2e5c1a02ff25afecac7903b8e71b5093316cf83d2e8a952a233c39bcf9a0ca4ce4a57591540b

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
128KB

MD5
d6ecd717e5a18c2f09319155ee8c3e75

SHA1
f2e53c3d9b92d7006dd55c73787c92c5d36cc480

SHA256
c0db7ba88bb1796cce1023d2cff6bac73761e006c495f3bc15d02fcb60e5c025

SHA512
ad0c0dafd3fa169d048e53b45bb65e52a6d3185b912dc8e532262a2296b691d4d4767ff266170cb979f43710ac6271b9d938f9eb17ccc64161846cfca75b2656

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
128KB

MD5
273a54707fba6037b5405751a2d1ce1f

SHA1
04ae30dd43fb02be6e61d83ea0c524a7787eddc7

SHA256
6be27d870e2bdae7c302acdf28d75e2e3c85d04db418b489fbc08f723527f4e4

SHA512
bbeb5a7c8605960f9e019fc19c563eb3f1456bc2192216d7c6c85d3a2347d76a89886c74cec30ab0f9685d3b8508f20202a5186912facfa5b7d9871d964073f5

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
128KB

MD5
57850b0eef976b0ec2371a9cfa1aabf1

SHA1
3c4dc6e5eae65999c19f38d41f34736ad1840f9b

SHA256
a47e4bb64f2d86fc681f5304c51dbca1eb65409884da583318621f726e5db667

SHA512
8d2e606e8f69c4b425ae7a83be58569ca6fd589f8e431828250d50eaa9f99b0d32944afb535855299da48c99870f50d4f4d6cbc771fb99fa2e183e4773a226b0

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
128KB

MD5
ae8901593df215aa64b212077d0cb116

SHA1
5934be6123add43ca77ba247c1ac8e3808d4c989

SHA256
b93d8b9517b556e56dac67c9232babbf265cddcb64994c74d7d846822e8f7037

SHA512
04aeffd9018503a5468ed2e487376297b63c650deb20a24b7535ecb28df36014097973ec36ea064e7fb273ea3958da384aa0b126ff2d11333d733e984e1b667e

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
128KB

MD5
c957ea7aeefcb3ce2376f13543ea0b5c

SHA1
65c480eb944b008d812a9a89536db52c64dca859

SHA256
6896fb7357ba75c0b02becd0df46c8925cd8c31db5fe722cd9b68a26a9f57ece

SHA512
58a68243e76746f214f1cb7eb264f3f8b2b3ee9b70ed0276b4002251618c63e3dd4a3384aea61c453b8d11e541592e0b207fc5ab1b7d5d4480df8de46fa32649

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
128KB

MD5
d7d4412c7a392da8a30a59ad97c1d508

SHA1
5d25059e9646be9cdd0788b369438d29dce40f66

SHA256
81b47d8b7ea19204d0f6a6ccc9a43b6b6ec2cccc5c185df28ca4596e8a6635de

SHA512
2f5f696b2fa0fc3c43fd9ebd7d64380b1e3dab006582c96a573af2ebb6389d74ef73a11325efb0b3347afad999ab6a0576f2535ae5c40b49870c3c4a59c59016

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
128KB

MD5
e5d3fe2d230419d4752c89bded194058

SHA1
0febfc0af9667ce403fabafe0958d552864f1782

SHA256
5b9db65309d21739e72e8ef6be0f8e86b59dea632fece0ce7bfefc2b44a40138

SHA512
581d3dcb21ba7767ba635ddbcf375c3b2305c00647344ea7f7e675ad24b28ad14065ffde15da331421ebcfce36cecd377c32ec71332c14f70567302b2bb400f3

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
128KB

MD5
f8cfffe3013fb91e28be60f09fc7583c

SHA1
2f526b95396792c15ae7167802d731f809613ff7

SHA256
413e6930630c69554373145c39f42b4d44584d9f07debdf1cdb24eac303e60d4

SHA512
b16e134067e2449a850b4ae27b0a3bf4f11223f6fb9b9bc7e02b363bad099d08585d6baf7ceb409e89fdab3e341d2ffaf958a226c19ec96e183135e7f5da767b

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
128KB

MD5
8954bcedfbbd9b19995d21b10527746e

SHA1
9d7ff2ac7e266f7750da8cbeba162806fa45fef0

SHA256
12aeee9e90ebd1728771641a2fa2b5c8a87b921d64cd4c966befb4dd4a17f55d

SHA512
a9797334c42b9246e2a4747d00d1fa05810b0382f312f3827e9cd90a7be34f4362174490a584fe52d7fb3519fc481ef7b933728933c5f532a1f372ae4139d04a

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
128KB

MD5
eee014f41b7ce7016a088b411265595e

SHA1
f3ab10f92b3f245a6cfacd1f8aca837829efb470

SHA256
518e902fe63ce5219cc6d392303105146af27a142d3febd00d7a86f106044b39

SHA512
1e911982dd8bd203e35739eb69bcf825e8f660d6c943ae802d5763415ffe8f003b38b94d09878f244244fca7b1e15c4b23dbae3cbb462979eb69dd5b8c068362

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
128KB

MD5
e6b4265ee83b2aa1e3563e0f281f9124

SHA1
763f54a63f1ece788d714331fb8c4e033493df41

SHA256
a4a817a3b1b20ef05d8bb0bf8a73fcf271967d9d04ada328810007672c6a8c4c

SHA512
4abc918455a44ea23ccc57554a44b741ad7562188396f5bfb43542884d7a8db53f9d7e4288ff8a7105a278632b9902664bec7e4d1a60ae4cde963e597a3aee67

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
9d95b43ba7d9f148ff3da7896ee4e619

SHA1
7122705afe28caad5e489e7f6e4355cd7ef47028

SHA256
27359d22cc041efb9cd204a07cf9ac086e53664635ba0200181c9fde0929b58a

SHA512
482ebb5e8f86d10959543dc3b65d5662589387b87c22e6c353ac0c545ae8d88014c16084e9356a602efbc23c135e0615e1ecdae02a547bb5bcaab4f0784b34e3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
128KB

MD5
3331c5e6f3bd1da7dde398b52f3431f5

SHA1
3462bf12bf6108ea9abb5f025800bb438317dcef

SHA256
530342f113762b6a88813bb64ea0e8007488995d90a469547fa141647f618492

SHA512
4ea6c47ff95718e9187e6b905a84dee37a28817870d892c3b19cb8f7f83856867d624eb49d3d79f15df2380ab4dcfc492bf32132386759016523f6554a5dad0d

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
128KB

MD5
62189c0a68d22d41cd19a377a7feabd3

SHA1
e27a1d2dcb3c67c4404b40afae779ad6b0bcbabe

SHA256
2b7c2933eac46e26f07aba008d8e2d6cbbe7af8686baaf7b277d5fded501e2cf

SHA512
508eb7a4806eb566d28fc302c91b0708b906b5eb52c953e628cd1a20a86cae88d32641615855efcbe5fe40a0e0c3b3e46cc38e00c866c9f23adaf1af6cb66d2c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
128KB

MD5
a63063d18225b2be4c1dce14eaec16ac

SHA1
bb2394598800122b76020966caa8cea4f451d23d

SHA256
e15dcebda4a98274a5acee5cda514f07056705ed09a641e3497d35595d336d43

SHA512
88292743ae93dddf75ed8fa7850d0254006506bab54a3723ee7f73642d539c4da55e8e6cde95257cd96006778a466b00afd4fc4eccddbde0973c74f0de2aa0d8

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
64KB

MD5
48f30f3b760f898f0c9b0379c0090040

SHA1
e791f0cb6e6a0011b48690d892e5dfa5d1e498b1

SHA256
899bc9386784584895ce6d7afc81b9716696402ac37f36d58f04f0129a71c48c

SHA512
26e1bea4dcd404dc05dc527673ecaad81e2c0819b92b8e4ec5b59c4300c60a209a4b1e3f3bd3ff374574d874e91570bf4eeeb13b6a47fb68423caf515b152549

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
128KB

MD5
ca9d9ab45b614e957447db632e87210e

SHA1
d8b849f80d54dbd567c846da0fdb478e984f545d

SHA256
f53a5f84b25a32ae19f884ad587b8bfa5b0db735ecfae94225e0b0cdf1bd4ed1

SHA512
7160f24bfd0a7a6f1a6c109ee3281fda1c711198d7a405016d2150a4301ac8d25464b280a5e5c446a55ad181bffc1223fc57246df28450a1e83c59db858f2101

Download Submit
memory/64-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/64-601-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/228-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/228-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/448-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/512-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/728-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/756-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/872-506-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/920-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/928-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1192-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1192-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1336-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1460-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1568-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1988-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2012-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2200-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2236-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2244-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2304-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-548-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2712-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2984-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3020-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3160-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3260-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3440-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-585-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3760-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3764-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3780-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3816-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3876-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3952-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3964-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4104-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4192-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4364-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4468-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4636-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4772-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-561-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4876-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads