b1c62a3db5be95fda84a3219686e4f43aee21c7323f2352d1389ee458a3a14d6

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75e9cb204f0bf17e2a349d23b5d0d860N.exe
Size

1000KB
MD5

75e9cb204f0bf17e2a349d23b5d0d860
SHA1

98e3b7af61d15f0ed56d9a4e77aaf9a071a2c142
SHA256

b1c62a3db5be95fda84a3219686e4f43aee21c7323f2352d1389ee458a3a14d6
SHA512

1f639f1a2e96b23d6bcbbcd84d712ee83dd14e7d1f8428cf3e5803af28a592b642c9956649f1b9a7232da7b4b691cdcb2222af452620f207cabf6c46a1797e36
SSDEEP

12288:M2KSCtHBFLPj3TmLnWrOxNuxC97hFq9o7:ZCtHBFLPj368MoC9Dq9o7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	Hicpgc32.exe
2676	Hpmhdmea.exe
2128	Hbldphde.exe
1112	Hejqldci.exe
2752	Hhimhobl.exe
4912	Hppeim32.exe
2624	Hnbeeiji.exe
2668	Hbnaeh32.exe
1416	Hemmac32.exe
1732	Ihkjno32.exe
4424	Ilfennic.exe
4784	Ipbaol32.exe
264	Ibqnkh32.exe
420	Ieojgc32.exe
2524	Ihmfco32.exe
4720	Ipdndloi.exe
3840	Ibcjqgnm.exe
4944	Ieagmcmq.exe
3608	Ihpcinld.exe
3440	Iojkeh32.exe
4564	Ibegfglj.exe
5040	Ieccbbkn.exe
3400	Ihbponja.exe
1584	Ipihpkkd.exe
4296	Ibgdlg32.exe
4056	Iajdgcab.exe
2644	Iialhaad.exe
3540	Ilphdlqh.exe
2500	Iondqhpl.exe
3868	Iamamcop.exe
3364	Iehmmb32.exe
2068	Jblmgf32.exe
3656	Jekjcaef.exe
3536	Jhifomdj.exe
416	Jldbpl32.exe
3944	Jocnlg32.exe
3112	Jaajhb32.exe
1704	Jhkbdmbg.exe
4640	Jpbjfjci.exe
5132	Jbagbebm.exe
5176	Jeocna32.exe
5224	Jhnojl32.exe
5256	Johggfha.exe
5296	Jafdcbge.exe
5336	Jimldogg.exe
5376	Jhplpl32.exe
5416	Jpgdai32.exe
5456	Jbepme32.exe
5496	Kedlip32.exe
5536	Khbiello.exe
5576	Klndfj32.exe
5616	Kolabf32.exe
5656	Kakmna32.exe
5696	Kibeoo32.exe
5736	Klpakj32.exe
5776	Koonge32.exe
5816	Kamjda32.exe
5856	Kidben32.exe
5896	Khgbqkhj.exe
5936	Kpnjah32.exe
5984	Kapfiqoj.exe
6016	Khiofk32.exe
6056	Kpqggh32.exe
6096	Kabcopmg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jldbpl32.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Ojhiogdd.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Ocgkan32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pidlqb32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Kibeoo32.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Ojqhdcii.dll	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Abhqefpg.exe	Apjdikqd.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Gpeipb32.dll	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hpmhdmea.exe
File opened for modification	C:\Windows\SysWOW64\Jocnlg32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Npmknd32.dll	Jhifomdj.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Modpib32.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Fbbnpn32.dll	Mohidbkl.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Ohlemeao.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File opened for modification	C:\Windows\SysWOW64\Hhimhobl.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Dlofiddl.dll	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Ieccbbkn.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Jimldogg.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hnbeeiji.exe
File opened for modification	C:\Windows\SysWOW64\Ihbponja.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Debcil32.dll	Noppeaed.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Kcapicdj.exe	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Lancko32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Ajmladbl.exe	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Amnebo32.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Hejqldci.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Hobbfhjl.dll	Mledmg32.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Ihmfco32.exe	Ieojgc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8304	8208	WerFault.exe	349

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljmhflh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgmjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfennic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kamjda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekjcaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loofnccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nblolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqgojmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihpcinld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqoefand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejqldci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qamago32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfbkpab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamamcop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimldogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofegni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhifomdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmladbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkbdmbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjggal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqoloc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbgncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbldphde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljdkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiikpnmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adjjeieh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	75e9cb204f0bf17e2a349d23b5d0d860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njbgmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkhop32.dll"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heffebak.dll"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll"	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	75e9cb204f0bf17e2a349d23b5d0d860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dalofi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2724	5052	75e9cb204f0bf17e2a349d23b5d0d860N.exe	91
PID 5052 wrote to memory of 2724	5052	75e9cb204f0bf17e2a349d23b5d0d860N.exe	91
PID 5052 wrote to memory of 2724	5052	75e9cb204f0bf17e2a349d23b5d0d860N.exe	91
PID 2724 wrote to memory of 2676	2724	Hicpgc32.exe	92
PID 2724 wrote to memory of 2676	2724	Hicpgc32.exe	92
PID 2724 wrote to memory of 2676	2724	Hicpgc32.exe	92
PID 2676 wrote to memory of 2128	2676	Hpmhdmea.exe	93
PID 2676 wrote to memory of 2128	2676	Hpmhdmea.exe	93
PID 2676 wrote to memory of 2128	2676	Hpmhdmea.exe	93
PID 2128 wrote to memory of 1112	2128	Hbldphde.exe	94
PID 2128 wrote to memory of 1112	2128	Hbldphde.exe	94
PID 2128 wrote to memory of 1112	2128	Hbldphde.exe	94
PID 1112 wrote to memory of 2752	1112	Hejqldci.exe	95
PID 1112 wrote to memory of 2752	1112	Hejqldci.exe	95
PID 1112 wrote to memory of 2752	1112	Hejqldci.exe	95
PID 2752 wrote to memory of 4912	2752	Hhimhobl.exe	96
PID 2752 wrote to memory of 4912	2752	Hhimhobl.exe	96
PID 2752 wrote to memory of 4912	2752	Hhimhobl.exe	96
PID 4912 wrote to memory of 2624	4912	Hppeim32.exe	97
PID 4912 wrote to memory of 2624	4912	Hppeim32.exe	97
PID 4912 wrote to memory of 2624	4912	Hppeim32.exe	97
PID 2624 wrote to memory of 2668	2624	Hnbeeiji.exe	98
PID 2624 wrote to memory of 2668	2624	Hnbeeiji.exe	98
PID 2624 wrote to memory of 2668	2624	Hnbeeiji.exe	98
PID 2668 wrote to memory of 1416	2668	Hbnaeh32.exe	99
PID 2668 wrote to memory of 1416	2668	Hbnaeh32.exe	99
PID 2668 wrote to memory of 1416	2668	Hbnaeh32.exe	99
PID 1416 wrote to memory of 1732	1416	Hemmac32.exe	100
PID 1416 wrote to memory of 1732	1416	Hemmac32.exe	100
PID 1416 wrote to memory of 1732	1416	Hemmac32.exe	100
PID 1732 wrote to memory of 4424	1732	Ihkjno32.exe	101
PID 1732 wrote to memory of 4424	1732	Ihkjno32.exe	101
PID 1732 wrote to memory of 4424	1732	Ihkjno32.exe	101
PID 4424 wrote to memory of 4784	4424	Ilfennic.exe	102
PID 4424 wrote to memory of 4784	4424	Ilfennic.exe	102
PID 4424 wrote to memory of 4784	4424	Ilfennic.exe	102
PID 4784 wrote to memory of 264	4784	Ipbaol32.exe	103
PID 4784 wrote to memory of 264	4784	Ipbaol32.exe	103
PID 4784 wrote to memory of 264	4784	Ipbaol32.exe	103
PID 264 wrote to memory of 420	264	Ibqnkh32.exe	104
PID 264 wrote to memory of 420	264	Ibqnkh32.exe	104
PID 264 wrote to memory of 420	264	Ibqnkh32.exe	104
PID 420 wrote to memory of 2524	420	Ieojgc32.exe	105
PID 420 wrote to memory of 2524	420	Ieojgc32.exe	105
PID 420 wrote to memory of 2524	420	Ieojgc32.exe	105
PID 2524 wrote to memory of 4720	2524	Ihmfco32.exe	106
PID 2524 wrote to memory of 4720	2524	Ihmfco32.exe	106
PID 2524 wrote to memory of 4720	2524	Ihmfco32.exe	106
PID 4720 wrote to memory of 3840	4720	Ipdndloi.exe	107
PID 4720 wrote to memory of 3840	4720	Ipdndloi.exe	107
PID 4720 wrote to memory of 3840	4720	Ipdndloi.exe	107
PID 3840 wrote to memory of 4944	3840	Ibcjqgnm.exe	108
PID 3840 wrote to memory of 4944	3840	Ibcjqgnm.exe	108
PID 3840 wrote to memory of 4944	3840	Ibcjqgnm.exe	108
PID 4944 wrote to memory of 3608	4944	Ieagmcmq.exe	109
PID 4944 wrote to memory of 3608	4944	Ieagmcmq.exe	109
PID 4944 wrote to memory of 3608	4944	Ieagmcmq.exe	109
PID 3608 wrote to memory of 3440	3608	Ihpcinld.exe	110
PID 3608 wrote to memory of 3440	3608	Ihpcinld.exe	110
PID 3608 wrote to memory of 3440	3608	Ihpcinld.exe	110
PID 3440 wrote to memory of 4564	3440	Iojkeh32.exe	111
PID 3440 wrote to memory of 4564	3440	Iojkeh32.exe	111
PID 3440 wrote to memory of 4564	3440	Iojkeh32.exe	111
PID 4564 wrote to memory of 5040	4564	Ibegfglj.exe	112

C:\Users\Admin\AppData\Local\Temp\75e9cb204f0bf17e2a349d23b5d0d860N.exe
"C:\Users\Admin\AppData\Local\Temp\75e9cb204f0bf17e2a349d23b5d0d860N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Hicpgc32.exe
  C:\Windows\system32\Hicpgc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\Hpmhdmea.exe
    C:\Windows\system32\Hpmhdmea.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Hbldphde.exe
      C:\Windows\system32\Hbldphde.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        24⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        25⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        27⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        29⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        33⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:416
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        37⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        43⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        44⤵
        Executes dropped EXE
        
        PID:5256
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        49⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        52⤵
        Executes dropped EXE
        
        PID:5576
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        53⤵
        Executes dropped EXE
        
        PID:5616
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        55⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        56⤵
        Executes dropped EXE
        
        PID:5736
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        57⤵
        Executes dropped EXE
        
        PID:5776
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        59⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        60⤵
        Executes dropped EXE
        
        PID:5896
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        61⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        62⤵
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        68⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2116
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        72⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        73⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        74⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        75⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        77⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        79⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        80⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        84⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:472
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        89⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        90⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        92⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        93⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        95⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        98⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        100⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        101⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        103⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        106⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        111⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        114⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        115⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        116⤵
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        117⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        119⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        120⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        123⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        124⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        125⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        128⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        129⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        130⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        134⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        135⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        138⤵
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        140⤵
        Modifies registry class
        
        PID:7256
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:7296
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7336
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        143⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        146⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7536
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        148⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        149⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        150⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        151⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7736
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        153⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        154⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        156⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        157⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7976
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        159⤵
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8056
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        161⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        162⤵
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        165⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        166⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        169⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        171⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        172⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        174⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        175⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        176⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        179⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        181⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        182⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7328
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        185⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        187⤵
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        189⤵
        Modifies registry class
        
        PID:7624
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        191⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        192⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7852
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        194⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        196⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        198⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        199⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        201⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        204⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        205⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        206⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        207⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        208⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7268
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3996
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        213⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        214⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        215⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        216⤵
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        217⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        218⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        219⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        220⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        221⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        223⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        225⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        227⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        228⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7320
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        229⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        231⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        232⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        233⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        234⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        235⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        236⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        237⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        238⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        240⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2340
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        243⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:7808
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4928
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        252⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7484
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:8208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8208 -s 412
        256⤵
        Program crash
        
        PID:8304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:8024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8208 -ip 8208
1⤵
PID:8268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
1000KB

MD5
1d38ff9240447a61d44fe22ec3bf9d76

SHA1
05bdb5fb9607ea82b641113b5a113157f3805e48

SHA256
fa0c2962625d7c7b61cf72e595e355e02376986576dbc37409832348ce2a282e

SHA512
b607abf54602e25efff06ef731570af553c3c6ffa9b6094515877c5a4653bbd8d340a7e712d265a5b49dd31057babc6d30f7c2b79e1090dc8250a9c1aa4bf424

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
1000KB

MD5
d079a1d3ad6018c9340889e268ca42b0

SHA1
a4f83d4a575799ea784bb9969fbe3aa2d62645f8

SHA256
39481b6ae184df17127577d94ac93a22b71d1cf4c5025eb669454f7487c5f80f

SHA512
c901ac8a857457539f737c3428a8f2f0be6fe6d5e71e0f662b0ad2402fd2893006e614f5617d792f455dbd7798665b3e659d77ae24f172bd16f5a81a89e3bb7f

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
1000KB

MD5
09c51658da662ce1b4d5c7ab16b00975

SHA1
00611849e64465d7f5a7f56318eb155706a35b33

SHA256
c0f77fd35ff5127daa2f76e687babfc0135e672fe5f3d3f4642cebe1cf02ce41

SHA512
7eb298d1cb73dab1e2f04fec68d3fea21e2114efcfefb08d28bae1715131dc29e6dd2425338bdff220ccd9c93abf75d4d8cc3e5d81c0a0093caddd0bb5597291

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
1000KB

MD5
4d8dbd9858d090be87987d7e8af17f74

SHA1
7771ed623288e38266963d8de01c9d2054a9d512

SHA256
dda062d2096fbb758fa1e642f4df6d810ca926272cb96eafa28c1f9562fdf694

SHA512
b5597311bcc4f5b712bcad6a3571ef7c51c99e2a0ddd8eb859d1605e56fe10687e2d4516f5bb1e50920f6204f3d977cd7aa768bc5fbe821a399a31e328c760a4

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
1000KB

MD5
74417a1c09ec6f573696cba71d55d8be

SHA1
8034cd1acb34d620179c3a320cd768bb7101d326

SHA256
a96bc808e0a6e3b4cf2db6ab0889cc2e65a899f525b59fcd88180262e5f175d6

SHA512
5959bbc59932227ac0953eb190eeb75f95eca202a12b52e1d7930d0a1ac98b717597fa8038a46ab7a3385d5d7dabc8450a45fa6fb81a9503766cf9eb6893889e

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
1000KB

MD5
9aaa0b424116112aa44ef83c62435b19

SHA1
455211fa0f42aba327314beec915a0a932ca1a0f

SHA256
a05efbdc4aa9e01ff21cbe2c09cb07fded1f0bc6c6bbf6509db447683c8875ec

SHA512
bf23136ed5347ad16107832c128af317282adc1c5f0b8c85cab725b397ee9ba1164174d0d6c0fdd51b6ffa33ad061cc075b443020e07718c66ea443a398520bb

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
1000KB

MD5
be5075a378e190b570579613056eea78

SHA1
eaa4bd19759e351f4119decc1920808f4f30a215

SHA256
645549a2b4145482f4d8051f405f2773e1cb9dbece8c91135de52736c3acbf2e

SHA512
9a85522f1af8ea7653217f6da7af63bb5a8e1e3203d6d85ba3c9423ee3b9cc6b4251f2f4b55e106f58697552ae3426af7fa07886791bc9485b481a94d74e77ee

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
1000KB

MD5
801c1732ecd9e5c7060d4c014f301477

SHA1
f7fce0a75c5c5183eb47f4135d2357c9b000a2d7

SHA256
4b40aaac23a52190af437539a03a197bc068550082586ad8fcca553ffff89ac2

SHA512
f16dfcb9f719c324133a7e734a8d86c2117edfd5ec857ea5ad5c3c26ce43cc8cc70d5c94060534890869a0c8930d93b92f93cb740be4db03b4c649951015e491

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
1000KB

MD5
dcf938d0ac417cb449caf75997a00e9a

SHA1
e64daa1273e768b84bba378fe9de654eaa22699b

SHA256
58e3a9dd0d4562beb5815f87899d18158d0c0874017f3f42b458287024a56049

SHA512
61a9841d62ffcf7bc9f2ffecfe417bc61a2a68480c98b735050af531cbe8be0b160710a1d44d25a04f5b037c4c71fa2e5dcb761bf6cc11160e5c6c4e6c6d9bab

Download Submit
C:\Windows\SysWOW64\Gifffn32.dll

Filesize
7KB

MD5
b9a0e0d4e22bd560441caeabe910a827

SHA1
fbad045b54d47c47bcc1c3a2e4068f6dae65c15e

SHA256
4e7bdac93a208d4955a1fa2e5864307ee4f336dcbd0d969e32b455185f1b9a1f

SHA512
cef6f97539de71e38c2a3421256448504b80ce9dd19bae53825ea5dedb7356464db14c2acbcbe1f105dde962e06bc7247ee7afca704ec1bcf20f1eccefef8732

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
1000KB

MD5
76a81e4b5db6a728c2246f25314bee2d

SHA1
21c37b258ffd0eadffce69bdf16749dcc5df549f

SHA256
27d3defc3ab3ad55b1b62aaf08d4b347347221857022d98a116cd4685c5452a6

SHA512
a431e1fce0faac4616f0384778a1c27dc9ea02730c842b74876f2b76f4774eed120a544378ec176f7cb7e8f39eb76aceaac066e82750a4a444d9d3bcf4161c22

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
1000KB

MD5
da5c467e0345b59f8ccd58c44b32e01c

SHA1
9e28380c9da5f1be9d85cd3f582d04e465588095

SHA256
f90d4baf2ee86081a19619fcbe20f6abf3f4c38c44732718ac5bebdbf324ae29

SHA512
ad028792b7d6e058da2dacc51401b5b54d0fd54badec1c7b11c0439ce2fa505eadf8ea897f58aaf74caae54262817b916b84837be40e1465edc403bdb1f512e9

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
1000KB

MD5
804453380c09a9104f0275a6fb7f8018

SHA1
033d4cd2a909476e442a174c7d5200de70b12ae1

SHA256
f612ca92ef30cf519f594e5b9c825ba676d26f41b41d897754fa4ed29d9992e0

SHA512
c49f2cfd4f54462af81bb9ac7f0e269bcf7a185ceadb9823f6aaee0ae097a8a04e0f9b7367a41dc7dbf2aaecf288a74ea183843af1d6de88f5e83ae5c14bac7e

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
1000KB

MD5
623ecc3f8c4c45f9de7fd3f3465cc0e0

SHA1
223d12e0a425d28c87653c43b6e91cb67fdfc4e8

SHA256
d1c2ab856dbf71501e20ca096fb183bc31ff5bb62950c8952ea8ec479e941854

SHA512
1e88600315b219851cdc5a4710087dff9ff1a90085f922e1bd8eaca715391aa076cf414eac825ea6ad4c144f018e3d2e80166910d48849deac42c6b25be6f3df

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
1000KB

MD5
ac60c20aa9a9b53135a49af37c919fad

SHA1
a7a7a7c32d9eb8b43ef737c9b3c54b1463a4aa3f

SHA256
46619154ca8d0c666c2d745d9018c172b0bc1749bac4e486976003ba52b723f8

SHA512
fa44473ca406f7d79f8570da85379baf3ec69334e8bcc86473f7c0de5c5e6746503a8a457418ca1640aec4bfb39defd4dee2ad1c33c1e2fe89bc494365943002

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
1000KB

MD5
63364325eef0e5ec54badb12f29eb3fa

SHA1
c6f9ae25848e35f95ba1e8e525b47eef26be2138

SHA256
0ff4977aeb02c3d31e08cc5b35185e04584f2ffe0023498fb63337315f565dfe

SHA512
731a0964bc2180e98751a7b4145464f6da88452b5eb7a1f16e7801f9471e4e2ff6e75c63afaf92617db980c812ec8e25d4e0ca9eca47f9a1d9b663cced8ee1b9

Download Submit
C:\Windows\SysWOW64\Hnbeeiji.exe

Filesize
1000KB

MD5
6b0daf1e30810fcb607375800249ca8f

SHA1
0876e13d9b4989f8b561f5f5974f1622f802eb04

SHA256
5578ddcd0950aed5022f4f3efcb8e600fd9d5e5036b4e2aef5bb8be9da5ad707

SHA512
c9c1f50389eafc9a3117c2ee87fc48b351c1cb9a824ec6e41c76c7236cdd046c2a9e7a52286a6ae32d3c432125cb71afc27cf26873bd151d74ef3fc86289ca80

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
1000KB

MD5
eaca9fd60c5c07fb49f996a1377df8d8

SHA1
ef970f786230c4b08fa91167495586205d29ec2b

SHA256
da84cb1a2feb509a66a70da5ed5f9d3ad09fc1384233c468bdff597ef5fb7738

SHA512
412b82697effddd079fe0329927c2879629662389f37b540895c7f705c81e952493baa9d616641c90469671e0cabc2e8299ab0c6039f5856e44b2b998fc15324

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
1000KB

MD5
33d22ddfe97851c4254bc8000b948dda

SHA1
8d3b6bb6ab9068ff612795a2f76881893c86caef

SHA256
7e0c3a32bd084f51211169b043e6d2175364447534d195e3b7192bdde89c73c2

SHA512
24add749f460ef028269007f9d6c55b4554b3fd2196c7ffb13e7f8b1a8dc98262ee83277e22b9c6909af641158b3fd3808e2e738856e692aa2b5eccc41e37437

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
1000KB

MD5
d890e1d2be07003b74e7c7a215a17a28

SHA1
14e2892508afdb4ea2c616ffb2bea38cb360ec26

SHA256
2fb7dbe36d1a816fac79780c02be45362bc1e36b70e1aed0fcde0c09c69c8c14

SHA512
909d5f9eed26c09258c523a901f0104c92283673e0283cc6e8936886650a52c671e2ac0b21199cb56a3281ff9a3f5f96404d1b8cf79f4e05067a349795f6af61

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
1000KB

MD5
248f21cd0af9beeef44940eee9634019

SHA1
f291453428ff6015291d662b5bab1166ecd01483

SHA256
ec0c03b7cc04e02bba31e250d8aa87408751223518a158c526f8ea7d12ecc186

SHA512
e8c6f7b0d0ef3e0cf3523c28bbfbf773f171f24d74006925ebcdfa325b9af65acfa297ebe54030a883c06d2ecc716fff6abc2975a31d32729647a7d8681ab3c4

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
1000KB

MD5
b49d413c1108d33b315a78d9221e5fd7

SHA1
c903f4b8687004d984e7cbadd2db4e6e10bf5d1b

SHA256
be0ae38bc8b0f6c7a5a0acbfff7ca8699611c61de00b77a12ce0696913b484a8

SHA512
aa84973f5f75a1518e82c6e6c5e0f83df3ca421634753cf22e7079db4cbbfcfff2f0ca7f58fd0b0df99c511fb2dbea0660b68875f911babc00181ea653cc0b96

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
1000KB

MD5
dcb8bf74dff3efb6ac37b755ab29e17b

SHA1
1f4da8267017b49e2d1783953edcd10b66557d95

SHA256
7753a9183b70c65c6fcaae05ab15e60036b164f17cedc16d61d09f8194415718

SHA512
1cc145625630825f627e5b3c2950f25494ff1b34dce2302e86d76a49c995353f1195ba71d72cd3d324602d4a456bff13a0a417afce9773bebe6f3ac839ade896

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
1000KB

MD5
d8e7181789791b3f02f9bf8d2e754021

SHA1
cc983e4771ae9d02dc9eaee97c31c2cfaf8fb21b

SHA256
a95aac31096715c7f8fcd5a2eaf784f903b5af5333d0cadcb9f64607ef155d0e

SHA512
cb0c0b0d7bb0dda92452dbeaa94695d6cfb57ff1c6e0a82d947afe88a607a546af11bb68436a874aae7bd1e8ccd5772b6d44a97b5399c4101690a168a69a75ea

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
1000KB

MD5
79711052c167604018341d742e3fe430

SHA1
1e70053bf6d4d8237e20627df068d34f5d261068

SHA256
f5acc1b85cc9de0a2b5d74891353e02fada682c71be8b5f1cbe813e81efeb3d3

SHA512
b6cf43cb1b2c9515bae92c49b094a309192819b1c21bae52120d094e3e569089961ed35bb0e7d41bc775496d3b1726a671cf84950ac082f55f9fda4b6d0bb276

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
1000KB

MD5
c81b500171885082672f779b3e693ac5

SHA1
14908d6cc2daca78ab01c284770e1aca053ff38d

SHA256
dfc67562d5308732c0b26fdaab162673f9b637afcee101cf3040930c390f744c

SHA512
1bf51772b34cf338f6edb93ba34937e9dcd0f317006e676398c68109fa0dfecce1335a76e7e557e323a01b07bd631244ca4257f10769bb6fadfe8a21c2a58e07

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
1000KB

MD5
a1593953398b1d7b8c498b723be5d984

SHA1
fbd965784eb01018e40e8b7e4eafd41e669f2d21

SHA256
d3454fd3c550dff7bf7199e88705e48c2a3cdb70064f970d6e31a59cd1bd157e

SHA512
e9fb93b05ac68330f41c57379bb21f36c3ca249f76a7fc9580844b5c1fa14907fe3fe5eb764305da2cf15af153341c2824a1f02a76abdb4d7a5bc3a3d58f23ca

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
1000KB

MD5
bfb2b5972f461b97332a873484d295b4

SHA1
735bf234c5734f0608b5fa27a9be3d88323511ac

SHA256
d5ed19197a6d5370820174ef7e02c1dc8d0e718c2f577da3ea0f4920bbefe470

SHA512
f7f041f0e4815b950d684226dab5feab9000f8700fb94e606d551e97bde70145007d8b9d28d403dd4d68e423bf0bb254eb5d8574a75a26358f8775857653f7c0

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
1000KB

MD5
909a444a9ab34a3694205126685c5b17

SHA1
e3bdffdc1c7c8d04c51473cca603094292ba3b1d

SHA256
dd555a6e4f19ebaecb923bed47dedd3f4abb238c0411f2ba3d1c533fea7693dd

SHA512
c0c30861f6ffe8727a522e51608ccc047953e46085e61e721f3bbba381501cb04445f0842c9b09167928e1d58da9ef78c538d2a9463aa2a1da98f76beef34326

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
1000KB

MD5
3a501b30d8c2b6f0e0c0d11cad029d5b

SHA1
384c9399d449be64d2e5d94cc98ca4e24456199e

SHA256
ae937713df347ba1c1b640e8a28a3c901fab07b4d8c612412fe1444289da9416

SHA512
d17a3275ec1616ce8489dcf8b2409d9508f2b6bc382c900cd2cb5099bf483a3d9606b4c6215a0bc9ee1a9254de168213ed38a4fd144835548cd6e79549541158

Download Submit
C:\Windows\SysWOW64\Ihkjno32.exe

Filesize
1000KB

MD5
621daafcaea62ca513a208ff6e1617fa

SHA1
b9161bd056b01338b02a4b953bdceb85ce0cbb5b

SHA256
d048f78fc85c9600a181db20e880b14ea128a1e142e59043e961e20ff1fffc0f

SHA512
ac92a9a191c6aef90aad69fc0172d9142478ef3efa6cf93dfa950042084b7d85eeb5a76cf335abc9ce3bcaa094716cb7e2fe3869a7ac71a2c8d26c24986a2be1

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
1000KB

MD5
3aed64bacd540e261e7be27b825d4662

SHA1
e69c2469208eb36580a6073579ce348f9be3604c

SHA256
f1d835ef1dbba9f4a3a196a1dea751bd29d029b18332e00d4ccb1a9d548a67de

SHA512
22daea151fc3750f032191914314ce43cbcb719a8f818a8d47a0ad060a94f52a9a237c6ef6531755c8599f20695287b4882eb6fa083717e963e3f828c7029f49

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
1000KB

MD5
4914317f585c3b74fa11c41905c72ffb

SHA1
fde351e2d9b4a92a7139e8b254e30946aaace6fd

SHA256
af3cf901b7cc0f7a9ad6555efa209cb89f40c901b07fcea8e3f07e931410ccad

SHA512
49ea9fcf866b6334a6ad645fb7321a722233cd6d6f03c70bcc3382f8a28b556145d7a1bc04bd6c800b952f63330a859b1d6912f781bd63af9cf64e15eee7c602

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
1000KB

MD5
f15c352774ef2d034dbfe2beda3cefcb

SHA1
cc369ed3f7a6749f6ea9be7a5b3491e1fb653c71

SHA256
adc0b7284369bd5e4c303125209ff75f06824a52f49f1ae77cce8e05c95450f4

SHA512
7d7562830cd11d9a8a973f0e8dfd13d8152838299658e2b0e149d25fc7117f5371cf0916d38216ae8d571a1da84fc5ee6ddd4c3d3677c9bbfc03cd0cc2275fe2

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
1000KB

MD5
27780e8b50b7556eb3c5c2dc9ee1a497

SHA1
8328c46cc29496ba132eec481b0add239e9ca753

SHA256
1cfbd1fe45b27447247d4b9a2f452d87b9936456af8cab354765e25e73abe620

SHA512
a847a015b3c527372150afe52dcdec41771a61b178efd343a383a5bdc8ccd173b559cda3cb23dc836a7f89055005448a43d251be6d7d0af19e5ca2cf5386ebe2

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
1000KB

MD5
9b70ab67827fb3a7a6f576fc47e987cc

SHA1
98248ad18c2d7f299cc6d976f55e8600c8ad907e

SHA256
87941621c2df08499183585ab65c647a536f2de697a005e94fce2831154d0ba8

SHA512
1fbe6422e73e309882c60d08ddc322e43d8d1470107169622ce120258055a51f279fe75ae31b72de751ab6472931e2a8e2af911e5ca30028cd49b51580b870ea

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
1000KB

MD5
aff27e330a5ac63ee67d0d4f1b9b20ed

SHA1
028a4c6424e576d6933826fe3a075a1caf5109e7

SHA256
56273130ec39bd0188db82a255068f8f1df969e80798a0b5ff1867c37073918e

SHA512
42e53103f63c3ee63de3798fe2551dc50e04f3510c6578978c39d4dd1484a4693043383600bfa59a6808ce3a9c0b87b817735750dd0da4c4f75ba82435c3c715

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
1000KB

MD5
901b078cbfd8ae2b9736ae435c2ebb9c

SHA1
9e608a748a61e87b68697fbd76010b3319b08379

SHA256
ebdc28d2a5e2f08c8bfff8c20505c7f44edf867a657109119792ba98345303ab

SHA512
8d1956cb8ef554a7f8e9f8d2ed1a5779e314ca58e11e253f9514195f32a0a41a069b4ff1011d4410d3a0bba5f8c6bb90d59538af1778fc9b7401d6b1cf1bb816

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
1000KB

MD5
46360cc9fcec4ca271e152131eb445fc

SHA1
a3c0ea2a67d8e45ccfd11b36422d0cd1d9b3db47

SHA256
bf4790a6239203675ed7c5d500b6256bd6752691266cf3cbc2ec04bef11c80a7

SHA512
aa7fffbc70500882fbf6656d0a4f32ce355365ecb127a474da40d5d370370b493bce05ada92064ed20ad0755d378b5e59ceddf1fc808123daf0c72d010305078

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
1000KB

MD5
71840527bfe1c09a918945546b6adf4d

SHA1
ad6e6dcf3809dc88589fa48fcc3d3ca37cba1e0a

SHA256
3b2c5a55bef1793e52c8b753df256bafa10bbf96668b498ae062437981aa0224

SHA512
45325262fce6fbe368d002db97672ba4dfd1bfa914ceeee312da72a4668dcfcf75377d41164be363c79a2ea1bd6ed1d20f7aeab2ca13e995101816ce21a51f09

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
1000KB

MD5
787215893a7caf69b49141df4a5d7fe5

SHA1
b9b9d8cb6a1554addf9dd713436d4fb32f527f1e

SHA256
ae398cfe361674f16b4c87a19031f9799cb5538a6402c30c3e7d0752361a0300

SHA512
0f6f4c152cb0dffb281d4623b81660723ddfcbd16c9f67efa9fd20c782004b62bee40ab80f62be39869fc4734c46ec72332c79d8823454156704a1f0936245c3

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
1000KB

MD5
809a4a723fa269a2904ad65f6db0bedc

SHA1
425de96a207cffe183322d4f94e7a88a45bb0c7d

SHA256
12dd634f7a948163ae8272f271af0aa7dfcde286e1a66d28686d6f1c29d157c2

SHA512
0a8a17497f92b6dd896e37e0bbfdbf04c2cbfcac9dac022dae169a54f92f9045c17c960f986aac758f49a28509b59cc546b911dd4f24c9c26aa4349da2ff3221

Download Submit
memory/264-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/416-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/420-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/472-581-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1404-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1416-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2116-483-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2500-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2724-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2724-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3364-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3440-165-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3536-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3540-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3608-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3840-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3944-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4424-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4640-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4720-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-52-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5132-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5140-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5176-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5208-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5224-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5256-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5292-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5296-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5336-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5368-513-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5376-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5416-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5444-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5456-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5496-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5520-525-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5536-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5576-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5600-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5616-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5656-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5664-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5696-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5732-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5736-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5776-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5808-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5816-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5856-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5888-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5896-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5936-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5960-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5984-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6016-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6048-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6056-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6096-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6128-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6136-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6172-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6212-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6252-599-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6292-605-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6332-611-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6372-617-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6412-623-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6452-629-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads