5a7fd65a6c0ba3928aa1289fcd5c040b5c951e08b15ef5c9a48ceda1ce2bcceb

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f1a039862d17e301a6a98a1666f7ed0N.exe
Size

192KB
MD5

7f1a039862d17e301a6a98a1666f7ed0
SHA1

e6ce0a4a0c7f848f1cccae958db647f2a197d93d
SHA256

5a7fd65a6c0ba3928aa1289fcd5c040b5c951e08b15ef5c9a48ceda1ce2bcceb
SHA512

9b076f6a571e6d14a1514f957a471931cc57bbe56f41c20ae4943cb0a3c266a2920edeeba3896a44dc6879b105355bdc5f429d3750e928a6f3789183cd311cc6
SSDEEP

3072:nayUI7pJJJF3kxmWoJDrLXfzoeqarm9mTKpAImSKeTk7P2T9LA2:HFWmBlXfxqySSKpRmSKeTk7eT5A2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifllil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgdlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3524	Foabofnn.exe
4692	Fcmnpe32.exe
968	Fhjfhl32.exe
3904	Gododflk.exe
3348	Gfngap32.exe
2180	Ghlcnk32.exe
2424	Gofkje32.exe
4360	Gbdgfa32.exe
3344	Gdcdbl32.exe
1552	Gmjlcj32.exe
1976	Gbgdlq32.exe
4736	Gdeqhl32.exe
3304	Gmlhii32.exe
324	Gbiaapdf.exe
1160	Gicinj32.exe
4652	Gkaejf32.exe
4676	Gfgjgo32.exe
5060	Hkdbpe32.exe
4716	Hbnjmp32.exe
2984	Hihbijhn.exe
4820	Hobkfd32.exe
4408	Hcdmga32.exe
1836	Hfcicmqp.exe
3260	Immapg32.exe
2804	Icgjmapi.exe
4748	Iicbehnq.exe
4536	Imoneg32.exe
220	Iblfnn32.exe
1584	Iejcji32.exe
4972	Imakkfdg.exe
2152	Ibnccmbo.exe
2492	Imdgqfbd.exe
2640	Icnpmp32.exe
1672	Ifllil32.exe
2004	Iikhfg32.exe
3152	Ilidbbgl.exe
2052	Ibcmom32.exe
216	Jeaikh32.exe
1292	Jmhale32.exe
3100	Jpgmha32.exe
1444	Jbeidl32.exe
3388	Jedeph32.exe
4512	Jlnnmb32.exe
588	Jpijnqkp.exe
4948	Jbhfjljd.exe
1984	Jianff32.exe
1368	Jplfcpin.exe
4848	Jehokgge.exe
2000	Jmpgldhg.exe
3916	Jcioiood.exe
1756	Jeklag32.exe
976	Jmbdbd32.exe
4704	Jcllonma.exe
3036	Kfjhkjle.exe
5032	Kiidgeki.exe
3468	Kpbmco32.exe
4660	Kbaipkbi.exe
2440	Kepelfam.exe
4908	Kmfmmcbo.exe
2588	Klimip32.exe
3612	Kfoafi32.exe
4800	Kimnbd32.exe
376	Kpgfooop.exe
3320	Kbfbkj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hfcicmqp.exe	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Glccbn32.dll	Iicbehnq.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Mdmann32.dll	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjlcj32.exe	Gdcdbl32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ilidbbgl.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Gfgjgo32.exe	Gkaejf32.exe
File opened for modification	C:\Windows\SysWOW64\Imoneg32.exe	Iicbehnq.exe
File opened for modification	C:\Windows\SysWOW64\Iblfnn32.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Ghkmacoj.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Gofkje32.exe	Ghlcnk32.exe
File created	C:\Windows\SysWOW64\Khkaedic.dll	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Gfngap32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Clhkicgk.dll	Gdcdbl32.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Nnbnoffm.dll	Jcioiood.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Gdeqhl32.exe	Gbgdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jianff32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8120	8032	WerFault.exe	311

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfngap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gofkje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdcdbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicinj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gododflk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfgjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f1a039862d17e301a6a98a1666f7ed0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbdgfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcmnpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhjfhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcdmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imoneg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7f1a039862d17e301a6a98a1666f7ed0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll"	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7f1a039862d17e301a6a98a1666f7ed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll"	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3524	3356	7f1a039862d17e301a6a98a1666f7ed0N.exe	84
PID 3356 wrote to memory of 3524	3356	7f1a039862d17e301a6a98a1666f7ed0N.exe	84
PID 3356 wrote to memory of 3524	3356	7f1a039862d17e301a6a98a1666f7ed0N.exe	84
PID 3524 wrote to memory of 4692	3524	Foabofnn.exe	85
PID 3524 wrote to memory of 4692	3524	Foabofnn.exe	85
PID 3524 wrote to memory of 4692	3524	Foabofnn.exe	85
PID 4692 wrote to memory of 968	4692	Fcmnpe32.exe	86
PID 4692 wrote to memory of 968	4692	Fcmnpe32.exe	86
PID 4692 wrote to memory of 968	4692	Fcmnpe32.exe	86
PID 968 wrote to memory of 3904	968	Fhjfhl32.exe	87
PID 968 wrote to memory of 3904	968	Fhjfhl32.exe	87
PID 968 wrote to memory of 3904	968	Fhjfhl32.exe	87
PID 3904 wrote to memory of 3348	3904	Gododflk.exe	88
PID 3904 wrote to memory of 3348	3904	Gododflk.exe	88
PID 3904 wrote to memory of 3348	3904	Gododflk.exe	88
PID 3348 wrote to memory of 2180	3348	Gfngap32.exe	89
PID 3348 wrote to memory of 2180	3348	Gfngap32.exe	89
PID 3348 wrote to memory of 2180	3348	Gfngap32.exe	89
PID 2180 wrote to memory of 2424	2180	Ghlcnk32.exe	91
PID 2180 wrote to memory of 2424	2180	Ghlcnk32.exe	91
PID 2180 wrote to memory of 2424	2180	Ghlcnk32.exe	91
PID 2424 wrote to memory of 4360	2424	Gofkje32.exe	92
PID 2424 wrote to memory of 4360	2424	Gofkje32.exe	92
PID 2424 wrote to memory of 4360	2424	Gofkje32.exe	92
PID 4360 wrote to memory of 3344	4360	Gbdgfa32.exe	93
PID 4360 wrote to memory of 3344	4360	Gbdgfa32.exe	93
PID 4360 wrote to memory of 3344	4360	Gbdgfa32.exe	93
PID 3344 wrote to memory of 1552	3344	Gdcdbl32.exe	94
PID 3344 wrote to memory of 1552	3344	Gdcdbl32.exe	94
PID 3344 wrote to memory of 1552	3344	Gdcdbl32.exe	94
PID 1552 wrote to memory of 1976	1552	Gmjlcj32.exe	95
PID 1552 wrote to memory of 1976	1552	Gmjlcj32.exe	95
PID 1552 wrote to memory of 1976	1552	Gmjlcj32.exe	95
PID 1976 wrote to memory of 4736	1976	Gbgdlq32.exe	97
PID 1976 wrote to memory of 4736	1976	Gbgdlq32.exe	97
PID 1976 wrote to memory of 4736	1976	Gbgdlq32.exe	97
PID 4736 wrote to memory of 3304	4736	Gdeqhl32.exe	98
PID 4736 wrote to memory of 3304	4736	Gdeqhl32.exe	98
PID 4736 wrote to memory of 3304	4736	Gdeqhl32.exe	98
PID 3304 wrote to memory of 324	3304	Gmlhii32.exe	99
PID 3304 wrote to memory of 324	3304	Gmlhii32.exe	99
PID 3304 wrote to memory of 324	3304	Gmlhii32.exe	99
PID 324 wrote to memory of 1160	324	Gbiaapdf.exe	101
PID 324 wrote to memory of 1160	324	Gbiaapdf.exe	101
PID 324 wrote to memory of 1160	324	Gbiaapdf.exe	101
PID 1160 wrote to memory of 4652	1160	Gicinj32.exe	102
PID 1160 wrote to memory of 4652	1160	Gicinj32.exe	102
PID 1160 wrote to memory of 4652	1160	Gicinj32.exe	102
PID 4652 wrote to memory of 4676	4652	Gkaejf32.exe	103
PID 4652 wrote to memory of 4676	4652	Gkaejf32.exe	103
PID 4652 wrote to memory of 4676	4652	Gkaejf32.exe	103
PID 4676 wrote to memory of 5060	4676	Gfgjgo32.exe	104
PID 4676 wrote to memory of 5060	4676	Gfgjgo32.exe	104
PID 4676 wrote to memory of 5060	4676	Gfgjgo32.exe	104
PID 5060 wrote to memory of 4716	5060	Hkdbpe32.exe	105
PID 5060 wrote to memory of 4716	5060	Hkdbpe32.exe	105
PID 5060 wrote to memory of 4716	5060	Hkdbpe32.exe	105
PID 4716 wrote to memory of 2984	4716	Hbnjmp32.exe	106
PID 4716 wrote to memory of 2984	4716	Hbnjmp32.exe	106
PID 4716 wrote to memory of 2984	4716	Hbnjmp32.exe	106
PID 2984 wrote to memory of 4820	2984	Hihbijhn.exe	107
PID 2984 wrote to memory of 4820	2984	Hihbijhn.exe	107
PID 2984 wrote to memory of 4820	2984	Hihbijhn.exe	107
PID 4820 wrote to memory of 4408	4820	Hobkfd32.exe	108

C:\Users\Admin\AppData\Local\Temp\7f1a039862d17e301a6a98a1666f7ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\7f1a039862d17e301a6a98a1666f7ed0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\Foabofnn.exe
  C:\Windows\system32\Foabofnn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\Fcmnpe32.exe
    C:\Windows\system32\Fcmnpe32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\Fhjfhl32.exe
      C:\Windows\system32\Fhjfhl32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        24⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        25⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        30⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        32⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        34⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        42⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        43⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        45⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        52⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        54⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        57⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        65⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        68⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        73⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        74⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        76⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        78⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        79⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        82⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        84⤵
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        85⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        87⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        90⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        91⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        99⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        101⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        105⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        107⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        108⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        110⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        112⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        115⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        117⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        124⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        125⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        127⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        130⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        133⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        134⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        136⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        140⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        141⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        143⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        145⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        150⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        151⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        152⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        153⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        157⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        158⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        159⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        160⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        165⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        166⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        167⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        170⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        171⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        173⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        175⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        177⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        180⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        182⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        183⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        184⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        185⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        186⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        187⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        188⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        190⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        191⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        192⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        193⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        194⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        195⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        196⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        198⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        199⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        202⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        203⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        204⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        207⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        209⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7508
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7556
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        211⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        212⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        213⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        214⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        215⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        216⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:7864
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7908
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7948
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        221⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 408
        222⤵
        Program crash
        
        PID:8120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8032 -ip 8032
1⤵
PID:8096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
192KB

MD5
920b5bd55659e6e95672dc003cec9e84

SHA1
6fba627c4a015b0f4a94eb0b1daaa63fab803eb6

SHA256
5dec214ff8d8f949a604db5c72ba5c2b74798764db39c8cbed0f240d5e7e57ac

SHA512
884934462fd6b7d4473a34b8e3e360af55fc9178c74dad1d12e7bd180a196b3aa6df94fe69c93fc22858cf6f3b87937a0ee7cb01172bdfdfd8f230f0033a3ceb

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
192KB

MD5
47ac1fb570a3d207a73c773e9ba65ab5

SHA1
72db3426e9e2ab4bd9f48c928dcf41df1615d2dc

SHA256
04eb56e8db778d9601330637e00cf8af3991cc00cd29593968c1e5436b08d41f

SHA512
35a5e3a8cfb5367745dc49d0d8218b866569cfd7218a261ac328c5e58410ee9911bd83624a28c253794c8f154ad73f40eff81fc7fc9c09ffab35bf25e4b57d65

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
192KB

MD5
c31108ddfc7f792fcabaebdef9ba66b3

SHA1
f720e9afd66877ad5bd1388d5744b08f994ce6b7

SHA256
00490bc5963deab383558ded971576cc705bbce71fdae411c1048bfdb406bd20

SHA512
cf961232825d39c36b3538d7e845bd17781e1ca38b936bf8487b09bc87d1a05dbd12efa02ff6d8bce1fa9e2eae1ba9f12c9161100d428acd9caf7e04bb9f553c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
192KB

MD5
e0205406cbc48506e88f2d1679b82541

SHA1
c42d04613cb0eb8af4963301ada61e67ce66a2f4

SHA256
3997354c107d0ecafd01a6967097bcc4ea8e3d69c72665ce27f37bb81c40d929

SHA512
869b0180fc1d4a5579fb9616be5fce3a5eb939613e3efa1a51295ef4a5b14330e400059258d8bcb3882161355ce6c0cd63a7563cf0f072bfc7e0257010a545e2

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
192KB

MD5
86472a515f2ad07889e97a8607139d33

SHA1
43799a31cea9a1afe85922023641e373463a9ea0

SHA256
f615afb4996eb7e6d093948e1d7a60f7627ff51ac174af752ef0d7f8509dd7fc

SHA512
6b2b0f90d033ab0def317f46fc2bc6a7e27b4d7ce7d22eff2413f89549365f0e9e36bc03d9309e5125b711cf2ec816f37b36a9e089175e4239938b5a3cfe096c

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
192KB

MD5
452c04db153b95b8f953e5d80c401672

SHA1
a0f595a2ab75c8361f3b1248a98894e498d09632

SHA256
38e7f928a63f6cb5e90623e9ce80e026c4f732f4fa81ae8d7bd5a08ef5b7b171

SHA512
2bd1c9c31e9581a0ab55ded63bb9ba4af291efebb37788a020745240cad75db842a45dafcd4110c7c42c0adc9f6f70bd7beed175ecbda9ab4d060f69596f64cf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
192KB

MD5
da6a44951e6d94e17735d219f7637fa7

SHA1
2eb9b0886196d65c98906da9bd82ecde41c675d5

SHA256
91c40c76e8fb3001623f6b30635d5b956fe57869bd5d02cfaf5e153bcb1e39fb

SHA512
cf8ff5e8f3d8a0850d1bfbb5723423a11862635fad9fcffdbb08502d8fdfb935a3e89a852efd4d6b63fd9a644791f17a87088f3478fd8a5260dd3a6d9ea4a075

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
192KB

MD5
7758a05c6029a989e2c5dabb1489a6c7

SHA1
fcce2ce34a3178b62124e3ef1d4818d98775713c

SHA256
2e45de9e63620ad603eff2c0933bbf7fbabcbc224ad9c85da77c787feb5fc566

SHA512
75818c7b3c3eea6232a034941c061ae9f7e6ec623fa21775e44c88a87e922557ef82b30311c480fb4df31a965175cd1f9ea30a73141388ab0512969f0906e2ab

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
5a2daea03d9065242495e9db8fa591bd

SHA1
98a10fd38dbd7aea669ce13010d5faeab1631dd1

SHA256
dc5d67d07d8e2284df8b443726cd060d081a858be097627aeddae4853f358ee7

SHA512
b07b910ad0c1450cd9150e59654c49a5a19c106af8dc45057f83fc926624e81204bd84dc33ab09ab29e500bbc8c4acd44b31c04f3ee8389bea96f25a6111d607

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
192KB

MD5
0cda4eb12af6c577fed2fe5e8223fccf

SHA1
cd1b18c985766cfb1adcbfe676f7956a3e995152

SHA256
91220a614886448554fe74c23f832dd9310c6d9aab6879058934da71bb6b52e1

SHA512
2ae4b3a13a913f5cf799f897fb9b79d39685d22820e25a21e9722a2e786eda19f399d804872b11ee7b09b25de2df84c38fdb8faddadfe32841ff5c920e2bafa7

Download Submit
C:\Windows\SysWOW64\Dqlbaq32.dll

Filesize
7KB

MD5
b1d3731377af4476fd6fcbdd9a8372eb

SHA1
4a74e16fdb0a393e063595489a0d0e820ada03ae

SHA256
7b1621115f59d6b6eaa34ed80016dc8b1cd47d500dbe3f2399e2cc82911c7d89

SHA512
c663c5beb6005f876a6edaef115c425c16c9564836d20245b33d33316c64aa32091ac1d56d21448b97d45be26a9c73f5a026de8eea76023791a99ab90be902bd

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
192KB

MD5
808f27d81f932451c1abebb1c09a285b

SHA1
73dc1be51160d3c0b6c0fa525b5df304046c6127

SHA256
34477bb59d1181c6746fe738dc2c3ae771928f7d39af03bd7648a2857dca9e9e

SHA512
584edae03c22c805cfb75dc5c1296a3a6d2e5147ffd6cec65bf25a79dd46231d322a57471b7753d1176b6ab86cc08c88a811f3ea251831263a746edfe3aed333

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
192KB

MD5
766a4279719081b0790bf82b19bc450b

SHA1
5c27a26d80a127df0387211e80079af6b5b41c83

SHA256
8c5957432e705e202ce73cce4bd06bbce47eaf7a39474d47c00eb9916e325551

SHA512
c43bb0fd921489ecbf6986b3ffbfab6ed5f382e54909c1ca3eff7032fe6b0fe97fdaeb260212844847b69d2574bc643d2cf91e3bdbd60a94e11c534b3b288714

Download Submit
C:\Windows\SysWOW64\Foabofnn.exe

Filesize
192KB

MD5
ae47ade583cd7afcc1fde325ff1e5b70

SHA1
19c8f2b7a73b3f37311dc7dcd84da545b49aa849

SHA256
9c71d73ef94465189c623f5f024f9a94b20b143ecf5e559b862c3719bc8524cb

SHA512
5c8d2e15243b70b46e00211f35a7b2dffb63db205834b7272aee154d6ed5ea9a1bc733c255bf9d582a77fc3559a538d070b39eedd7a8c9f66af156f265413837

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
192KB

MD5
e353b355c3e6f77a00a2edd970ec9214

SHA1
2c02ee6678080349eb5bbd1408f9792c921a8c95

SHA256
7ac0f93992c870e76d40dd25679a9048d934feb2a14d117d5e94406bfd44b0e1

SHA512
e62c6a6f2f006db37f1c403e7aef8e3a146da5a94173e90e4adf037dbed0cd2bb16616b51a6d1e81321a2d19b6f5c0eae8e07cfb637c9213a8bbd779644ee9e6

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
192KB

MD5
35ca24e9fd67106c2419923348eef2cd

SHA1
9b5c557e3273cc431793d143fe221c5901cda34b

SHA256
4b0aed1b6c8899eb75895def9116f93949ce16434829b8bc36f9ef779b97e8d2

SHA512
9c4e0caf81f557759a416f38edfc959fc86e59fd44efa3f021cfd402c0950cc6bccba67b4ac1593784db3b26c382d0ce123c955098408a34bca341b4fb5041a6

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
192KB

MD5
0a6ef62735d1d4aef122d402d2d3c150

SHA1
d44f01f5913604f78f678c11f7d6056ee9536e5b

SHA256
2dcf08d158c83a562c7ca7e528b027b4f40bcde5457c379a87391aa73289e3ab

SHA512
b427ffd2bd99084ea61f47d55c178813c2f77be76d276ce9d09995972be8bf2456180771b96b722578052103c7dd0bf045ac2c780e5ae28f4a2cb71928bba6aa

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
192KB

MD5
9cc9252497b342fe4c8ce3445c08c8fb

SHA1
61f41a9f19194249f75a9216900b4a2e94cdbe3e

SHA256
b59d535e3fdabe9fe8a54e42bcabde7f6781e62316708a93115992a48a0f1fba

SHA512
8a68fd8c99d5c90c9bc527d489d39a35f75faa45e31567b8dfe9da0ddf5421443f145e6f6888a301002a732b7037cb596643364a43a3a4cfeadb6f126486c527

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
192KB

MD5
3069e92587a5a7dc4d66a63c742bf82d

SHA1
3d5c008e1a9bc41e075dedccf3baeebfd3374478

SHA256
02e7b0a67921be2303fabff4f31bf06cff0ab4ea92650bc9f7edb1998126b489

SHA512
93c06bf54ce3a8705acfa67f517bcf40dc0b9e1e0c578960195a7a5b5a6ae4ba054797e0f355dd4c2916b7dadfb5ac6df9d71333c1b3c44edd15ceeb4dcf1337

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
192KB

MD5
2782b4eb245bde191472fbefb3649163

SHA1
fa11cb245440f95b1cfaa99de8ef10859dbeb2f8

SHA256
7003bbad6ed3d5681975c0b4646375014c0e35eecf081c08ad3cfe6205cabe85

SHA512
ff9dfa68e7a052486ba5be62f85f41b19b160f79be0d78b5043da68d3fee5a952f2ffb03390c3b669064a7d21360afd33e6c6f7873fad92b1b6ab341877cbc17

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
192KB

MD5
c7c2b49fa8aad4b98cd27b230f3cc7d8

SHA1
6a94654fb4a1108b8dd9d286b4d63bc72e482473

SHA256
03f07f068edc3dbcfe931297461e0c7d164ffda41d5ed8809d56d1228f4d4005

SHA512
b1b8b0e7171a5b65f52bdb4ffd8642a29d6bb8e790a18ea9e5f1863c4bd46970c947acc85184e338ea72103bbd8f1c1d38d0c41bda39da0342ee0706008246b9

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
192KB

MD5
6c95f401a48b3dd8b547ef7032635155

SHA1
d5d8049779363ffae6513ae2c2af98a52525482d

SHA256
35cb5aaf550bda9513ef445bca70a064bb15af5090f1fcd175170d50790f675b

SHA512
237248ed83033eb29f12d2ed02d27744e2cbbdc3e3e60cd21bc7e17cd58e12675d992624a86cd286849843b4dcc86f5cf3624b09ff3597215ef8ecab40b3d9a5

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
192KB

MD5
ee7a549b786023e9ff97429c448e4016

SHA1
0104b10b1fc09ea97832e35aa8109f047008e6b0

SHA256
516ddb2b0d097ee9252d59cd00aa1ddf6a8aece537424cf9098a4aee6eba73fa

SHA512
60d931a2a629d2d13001c5f0ef99961220a48c75088430a8222c60c6a1d792fd8473444cb221c6b183776c6bf682d2a533501087bed01f65d1c37ca75d900e4b

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
192KB

MD5
b43715ceb2ccf0349bbf0c5c7657c6d9

SHA1
3d1d46ed63ee222110a2aa7e1ecd5dc9b7d7eb2b

SHA256
4e9fbbf4580bb338e39494d6f74b6acba5ed869728d23829234b4b1a5b12f5f9

SHA512
d0eec40ba319b21907c7ecaabed0a49693c500b5a7e1b6a274df059a7e38dc55b578dce5c2970ef7a1f799f41c2187bffa9051c6ce722e5f2680a9d387903b23

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
192KB

MD5
250280420e568d093fd439320db871f1

SHA1
f4651f2b102f2c7b4517a7cab728f8b0cd07e8d4

SHA256
0dce892e8c7ce9469089e264ea2054bd723795d411e06ab7fef733ec9ffec409

SHA512
0ce4256b0ed720dbce9905a4591db3166e6ceffbbfe664dd6674bcecce8cfe63a9927ac2cb0ce0631eb6ca77cbe4a21f8d19ebb4901df9b767437673a13223ad

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
192KB

MD5
9268b33172c46d86bf88a7f38c7ba6b2

SHA1
91cce3a635088c72a7b34d7ec855ab17dc3ec830

SHA256
9ca6ff6facd78643ce84f348cd61b3978e40aefc6980fa5a9ca9fee2e9308fb3

SHA512
13808952e229c6806708026b17f21171c768827ff2999b62d282ab21cfedd6c03e56a4d6c5c29703234d047e345397d58a003ccb4b2b5adc5c45af1f55c527f3

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
192KB

MD5
6f6862dbb34e51e881fe987696085509

SHA1
b0b502a784f496cb98b3bbf12757d33773e73e29

SHA256
5d941c1d4e8dd6008ca13030cabe682d6d03d9785980341d08ff22cabf987a03

SHA512
45fd8b1d43b8081eb49a729da3474176561419f1aa9be94d7cd5284478e0d870b224a434b181a8239214233dc7599594dcccf4f6f219be22adbf57578a6daa04

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
192KB

MD5
23feecaee95a8bd4980643baaed502fc

SHA1
4a7993df3f3e4254612e4aeb12fdb1df6ab57526

SHA256
8b87ceef6d5e95fb14ab429f8717e30d4bb45ea418fc3a771ee0852c4597b03b

SHA512
d93a8062ca89d3a335edabd27efb5f7a6a3f02f7d83ccc3659717e251699dcab3f336cd823dc2f240e100d57a5940af553b8ef93e0c30842d3b1fa8c13469f65

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
192KB

MD5
3db730795c42ac118b587a5214902aba

SHA1
947eac4a628402872b38c1b5371cd49bc27a392e

SHA256
5f54246bad14b9bb91c1153ad4dccacd250fdb6d1040e0bb4b82706570d69539

SHA512
7e1cc1417118183df60c9486af7b5a51d3c399d2c9f2fee708bb289ab1d6a690277287c4ae88331821134bbf58c3a7c00c425b97268ba7366eb384e76062e604

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
192KB

MD5
d2671596d24c3ab78073fc0417a54571

SHA1
bde9b1c718b187f11f2a5fa2232a97542c0e450d

SHA256
5d76231be7160c4aed5f6bb99843c349bf12d93d83334e6312397554e64cd993

SHA512
0228c52f4420b6f47e3362a96110d4c63f474956df7aa4e0e290bb9500dcd7dc768a408f2b53b2bc8b8271ca83a899b815f08463a2b4620b5a5e4524216cd0a4

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
192KB

MD5
40d4fae3e54fc6fa35b3cca47e1bb71d

SHA1
7bd6c6ea47fd512e5c57b89eabf689df1c56d69b

SHA256
e886c0674449adc074d9e8e032c3a65fa7a9292f2890fa9cd2aa24352d861ea8

SHA512
ad2d60ad14e31ee15c065464cc615d322d01396947c27400ae5b7958da6fa9092d07d34736e0e36f8185fc1c79838bee3016bf5ae3e2b0280f8ece515fd936d5

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
192KB

MD5
71e9fd7b1386faf89f32d0ee879ea23f

SHA1
9bfb38ddc3f832771e98e799916a8c5e76521129

SHA256
784b0ac0a035ed44970ea5d6070683d949830028b07eaf84086163088b4977a9

SHA512
df320257e7702c4f1403b67621dc17de5ad53a9181d3753bf36c0b4866533bf342a5be646f5f5e2edc0f3501f897bcc6b5b355e0dd59bf3a3f1cafabec263846

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
192KB

MD5
21f4cf6754732fb271511154a4c5c113

SHA1
a151a80a8e9d816f67c791516fdefb7366f0d78b

SHA256
f122f48bd8a112ea0d81e23276ebf9a59c45ffd4eaa42162cfbb6fd0f3657fd1

SHA512
d1a49f4e3aa8d0720fd241738264134a819cd9a0739dac08373cabadf3f6726183c6555237dc42c88af4fe3feece0310f3c87f258427b9e3a315b5851cbfcf1f

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
192KB

MD5
2d47f18e524968ce21f78d80d4c78c3e

SHA1
6662e2d6812ed5fd087044020812ccd857ecf054

SHA256
832a0746bd4e074509ea93fd6cdab4adeac23f15184e29a29e2808f85b53e22d

SHA512
447192e9c508727d6982b4678e85e71e0205e5806e0c71291c8e807dfe7ad9108db008979c5b94560882944ec2aac7a7504d8df5b3ac7e94a119e0f8298c04cb

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
192KB

MD5
d797574ba0c98046d89202c8b791676e

SHA1
2978ea63be1e8738ca62a29297731fb83177bc14

SHA256
fc94d501a020d9b85aa418af830ce6200f7096dc4d99b9b2d9d7553cb46de0b0

SHA512
1f04e8c06eb8ac0327671171cd2ce9aa719afca624036e41c1394587be0a8fcd5ec89442659599099b344950100dc08fab19094a31a496f7ae08ec2298f13b6f

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
192KB

MD5
03c183fa459921a03d1f37760d37868c

SHA1
bcaf4e07c093744ba2385a524202cc5c105b1be6

SHA256
ea04814256b1ba8db446d325a18b0876f748a19db4f9f02977dc614e73a68079

SHA512
ec2ad820e2e95b3319524c63df22c1d863c3d07056fa880f844155cf904d7ba02963b8e6fd5fb928e654bb154e0f755094e31b657f9b4543e8e03be59994134d

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
192KB

MD5
43ade9d7387dfb9c9b7680053034963b

SHA1
07632b6221d4d2c9a7f8f9ae3bb52a7bf216d572

SHA256
833ff931686b913aaa4e322dcf03d667df5d06b00c43987ad3b2e9ad805f7008

SHA512
18687d01a6adae7b6ddfd34301b8e27fbeb7f81f9ff24311afef0edb06f4eba98d4b6389c6dc106c97e2078989d32716951b2b9132d9cdba32cb67b89f1a33ab

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
192KB

MD5
6b22baaa9aadaac97c48266259e49977

SHA1
2a955868d346ea4be5553b0c218d48db3bd446fc

SHA256
d18bb0de3edb5a44ff21d655b872b014f80bdd01f4100b081dd723b830e77f1a

SHA512
3d3072c55257af81b7e1aaff6d8715b801c9867b1898b1655fb74289f23cd71a9b81fa2454f5f5b52c15c254aa97f32b6fd6129db19c3a550efef6f43886cbfc

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
192KB

MD5
6f62328dc58d0fad8c40d78f906a517e

SHA1
a42dc7843efb72c24b8256b1c2999b70f7eae8bf

SHA256
a0630d781a1c1186d88ef90d7e252403d428d2c97916553b3cac84fe38321330

SHA512
ef456ed75a0e68993477d05ee9278b97f6fdebbf79ff38fbe45315012c79448eefe493e3e726e8e60016a8049dd9c3afa7b85c2612317317e7202456f37316b5

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
192KB

MD5
2e78fcd4296b269cd2019517ead86be4

SHA1
be9f70254d3b94b0cf4d8cf7feba99eee7fed9a6

SHA256
b0ad9362a742b68dc66a44f6433ef4445c40de7626f53f59bf7c7aee4e46b1ce

SHA512
333dcd9384898d296d635212fd0dab17ec1a616cac1f18d017acd8bf2d3add44a3d5450295f4045fb71172076cf6f5113f780efc468561638259ba7bb2d7fd37

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
192KB

MD5
af79f0ef9adff7fb4cf54fc90199af31

SHA1
c1bb50c1a50b3d0bca50ed5aa287200831d29776

SHA256
15178226ad10f09d18634b2f2281968d078baa1bda6e7d459dfe666c8710b7ca

SHA512
423631a55e66dbae49fa984086f6daa566f98a1cf089664ef4ff7a38fac835d5a32fb63abeffa0d553bbd597cfa6dafe5d433f119aefaee088d7ed5bb1122018

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
192KB

MD5
fecb1b1d252a7318496415353dc592bb

SHA1
4ca4734c92d0447762b13e358ea012fca2103fee

SHA256
f2298acdad63220d55dea11506e572d295299df761c33be5c8d131fd79a8edb2

SHA512
3a3c4cfbb6a012ad31cd2b98ed182b3838a0215e6c9547e72ffa4101d66933b08b99191fbb3648b5568eae1be0130bc8832ddf752b58bf19db65d966447b3b89

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
192KB

MD5
71a1276489e93851791e53ba3ebadf5f

SHA1
e666e66f6bf06747c93c5a3a650efe549f294151

SHA256
558d348b386f8b637a47b29112d53f18289e2f8075f52b2afcaf9c1301f6cb0f

SHA512
e168366c46803272144df439c064451fc5acd0636a78466a04bdddaf3903ea72ab098b686882b359572bb945df2496b2dc67271664ccec8f3a2e266667666c36

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
192KB

MD5
9dfb4b561122bc875f1f7f24a6d5bda7

SHA1
edb73652651398493acb9dda3589d85f5d93b99f

SHA256
708ef5d819a3062833f11991f7f71935767763d0fa0d8ff39146f5041225e87d

SHA512
3b532d4690a73840fb0e88afb6064fddaea06b9d94755ef2a9f8ca82b4048df5100434407c46f91a6918d214fb27304e4b3cb47efa4c193856fe3f4d3c4a4f44

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
192KB

MD5
3b22014272b7b18617025834a384cdea

SHA1
fae7851e4a8986026b621efc341516b646e52436

SHA256
bd0eba1cd63479d0dd035350fc4ad46147c6af566d2a14fdd09004f4d24be029

SHA512
9c73f6db532547c88ff2f8104cc27fb6183a2b2fa9dcb23791645daece3ca43439b951c8fe8a2b6556097d9c82878c1c4b48d727c864191d87cd449055658818

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
192KB

MD5
b0f8e5abd5d2c7d04db95935bc0aed6e

SHA1
3ac6e612c111c1397fa02b3947f432c78b1f25af

SHA256
8f99f8360cc9d9668e72f3f4f94845ec47a6daa45f95ffe1e578d161670caa65

SHA512
7252ea4db19c556ce14883e1edde1e1f703a5193d25c04ae01019e7b94e82702d38b1b4cb8bb7314ddf1fbae953ecc8a28783f30eb1434da70eeb946baf54cc7

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
192KB

MD5
3ad6daf4d4e63273d1be72d66543448e

SHA1
a12d88d2e7f267a82d889418a44e91186f5294ab

SHA256
a175cf2ddf3a5e55542cbdea354ece9c4af3bdcc8603771025d5e6dc27ec3eee

SHA512
b3a62e4ff814c890994a45e0fe25843809fbb92c293127ab7f653279650265631b3267c121d1cc03d3b7250173bc080f3e9be3acd9ed0ceac5883f3fba5b17d7

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
192KB

MD5
d15c035535dd103e73dd151cdf3a2066

SHA1
fdb81f805f3e4bd40aeb994ddcd4bbb116884eeb

SHA256
d474f3eb83428e9ec33084587d815959e1015c80ffabcd3b8b4368b555831d00

SHA512
dc84687ac71a9c59cc85242a139df15490f87bb52475e3aa918d87ebe5548187a7a748c14e183a2af7b5e703a3c6c19ce242d6e5d06aef3bc7ac429614b49a8b

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
192KB

MD5
2d24df0b42c359fd851c4f8f5f7bbfb2

SHA1
af87134adbe7cbe58bf50f2758860f647c7db050

SHA256
9620c15e823e2bcb2029e9cb95482e5012092f47d943ac3fa0f9fca692e21e8a

SHA512
50c89430bb4545874312faf47b39a7d5acb2e1dc95f2cd5a2ecd92924fac3394f9505bbeb25bb648a6361d36d9af51f154da69b55b7b25dee4f4816b71f4662f

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
192KB

MD5
605a058d680a1d4181345ac2a4b17600

SHA1
88e6bc22098a9a8fbe502a70fffa404c53c75868

SHA256
4dd2cf8ad974d6f935fc8db1bafea120b819ea0027ed7ef9f870412e1feb083a

SHA512
d4218b578b32d7ea8788a63eb8d308d84ba7498668d1faf7ba8010b2b80dbf2dfda89ff848406d7f7c623e455c95d6884a74ed27f5917ab6d96f1a49ba67a652

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
192KB

MD5
169d932d92a7db929d870383b8c051ce

SHA1
a6bc2284c419361563472bfb5058b07ca85c9bac

SHA256
0ade20fd57eff924541137283171a0bb2ca096aae2e24d4d4ccfe15ccb19a2e5

SHA512
488cb0930ac897cd8e3ce8e350f5db89c77c069268561ecd8c0f916f414a936bc0193bf3f7ff33d1d92543f94c1d4d5d62cd6cf3110600c4f1e4a4edad4015b0

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
192KB

MD5
5db8c6000175725e4dd92b611aabecee

SHA1
1cde2b21eb33b8a59acee2835d734d3f8548bff0

SHA256
7e740764ab0db2f8a6c03514ec36782e5d127033159bc412db22ec1f080b0116

SHA512
402fb86e64efbc130373edc8c2522727bb55d626f2ea6f5e57cb11a3940a8a49bbf844c65b204cd0414b78c2038d0610d5f24a1cd1b549fa8b906d6d2c914fda

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
192KB

MD5
677b148a88776e0cf2e4a0105ab33e19

SHA1
290b7744ad94062e3f17b394e37b225c45b07d4c

SHA256
69e487e3b15cc42f2322b51a19c43adf3b9fd4d58d3b40862be5f5a84b753ef9

SHA512
81bc1ec2153b0b58ade4119528d992a119206638442d25670f58dd37d45ec1d8f71268950563cad7073e122f58ead0fae50863e949baabd398d1ed0bc6d39a66

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
192KB

MD5
f7c122bf0a6e4d412a8847af5f05f0d7

SHA1
ea86f21484af067c8a388676cf0c1a0408963136

SHA256
6853c8eec37ec49637973823b723918cefdee2130ceacd887c2543a182b4252e

SHA512
9eb51fd5d9dfcb0846bfb88a0f14d5d4e61533cea7f4ed926307295dd8d563f17102d5e265f03813422aa3d37d470682db5f37f2d6f0b104d6dc748254e6bb76

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
192KB

MD5
b4867586eae52d999dfd29b46fa26f6c

SHA1
9c765f11380d95d957ca945322ab6dcf6b5a6e9c

SHA256
97ac018e23705302d3dec3d313d0b3fe97176ef8c2161569bca37624ffc33d54

SHA512
a6d55f20f035d9d0e07df8acc6d7cad07dcd1db21da75104d96b3481a7c2dc2cd2066f57220951697dd147e1eef27833b63a0e836bcc24bd5d7c82b874e77a5d

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
192KB

MD5
1bc95f75f21bfbff730f1b4c7131685b

SHA1
9142025f4a12c925ff5eae57f5700519e0ffa37b

SHA256
9a188eef86bf0b56354b4819440dedf1582ea90a315abd5fefd6b5a4fc109ad6

SHA512
d3fb7ed2c139d1d9d2042d89583aea7bd8b850da851a1907e7d938f80c808c7f439a5781ad8f493cabc9891e096c8618663c2534568b42ccedfcb5d62bfda957

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
192KB

MD5
a92c9803b4d44f6831ebbe69d5d18601

SHA1
f9cf29f9ea1d9f5c8b583dea29e74ca3e88d4814

SHA256
8de28f86dd3154450326d1879a997a97f996784101394f8bc58fbef475af2d71

SHA512
aea2abb30e27ef597cdbdd556477bc123994bb5dc3bc94024d5650e47c62c419f49ef67367535b3ed9a9141c48d31053ef56db34527108f4fe1957e96cd60e2a

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
192KB

MD5
5b9547cdca46165267e8c15f302d65ac

SHA1
ca2f34e48fe3fb7a1ba8ee48221cee84b582d928

SHA256
c8c1bbe0ff59370a38e6469d70a80a1e2537751164e761acf355bebbfe897acf

SHA512
dfdfaa5d57ada40a62e18fd7ef1c76b8acaed18fcbb71301f18186c51d79e7f040c9d43d450672cce2c202dea4b16f7334f5df675384662904241beaf47e4454

Download Submit
memory/216-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/220-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/324-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/528-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/588-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/976-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1160-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1584-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2400-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3320-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3612-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-562-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5164-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5204-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5260-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads