312540ff9c637914195f8966d76943effb2d2e72c26e6b55fbe71c57bda96779

Analysis

max time kernel
97s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9c32e4b109895ec88f3b7c38b3a4fc0N.exe
Size

128KB
MD5

a9c32e4b109895ec88f3b7c38b3a4fc0
SHA1

d79d0537b8bc62cc422f8d532977d683c0828660
SHA256

312540ff9c637914195f8966d76943effb2d2e72c26e6b55fbe71c57bda96779
SHA512

e10b4ec531239cedaef253262c381a61c78e958b97e65421aa117c65a85d8548c8d45be93e222f3501388debeac7d3af30f8f01c54881d9f7f20de370224b582
SSDEEP

3072:olc/Fkkn33BOiM6PtOZMQ/sTEQaYFDd1AZoUBW3FJeRuaWNXmgu+tB:+8siMVMAsTI6dWZHEFJ7aWN1B

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a9c32e4b109895ec88f3b7c38b3a4fc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe

Executes dropped EXE 64 IoCs

pid	Process
2576	Immapg32.exe
4900	Icgjmapi.exe
3924	Iehfdi32.exe
2672	Imoneg32.exe
2112	Ipnjab32.exe
4192	Iblfnn32.exe
3548	Iejcji32.exe
4092	Imakkfdg.exe
2456	Ibnccmbo.exe
1512	Iemppiab.exe
2412	Iihkpg32.exe
404	Ifllil32.exe
2496	Jfcbjk32.exe
2328	Jlpkba32.exe
4988	Jbjcolha.exe
4480	Jidklf32.exe
3620	Jcioiood.exe
1804	Jeklag32.exe
1928	Jmbdbd32.exe
2760	Jpppnp32.exe
2312	Kboljk32.exe
2524	Kiidgeki.exe
2444	Klgqcqkl.exe
2804	Kbaipkbi.exe
2292	Kepelfam.exe
5016	Kpeiioac.exe
3292	Kebbafoj.exe
3744	Klljnp32.exe
1192	Kfankifm.exe
4068	Kmkfhc32.exe
3732	Kbhoqj32.exe
4572	Kibgmdcn.exe
2904	Klqcioba.exe
2684	Lbjlfi32.exe
3420	Liddbc32.exe
4832	Lpnlpnih.exe
4420	Lekehdgp.exe
3736	Llemdo32.exe
3300	Lpqiemge.exe
4764	Lfkaag32.exe
3332	Lmdina32.exe
2060	Lbabgh32.exe
1656	Lmgfda32.exe
4512	Lpebpm32.exe
4636	Lgokmgjm.exe
3224	Lingibiq.exe
1600	Lphoelqn.exe
1260	Mbfkbhpa.exe
1336	Mipcob32.exe
4960	Mpjlklok.exe
2692	Mchhggno.exe
4200	Mmnldp32.exe
4492	Mplhql32.exe
4876	Mckemg32.exe
4692	Meiaib32.exe
2388	Mmpijp32.exe
1112	Mpoefk32.exe
2280	Mgimcebb.exe
1208	Migjoaaf.exe
4000	Mlefklpj.exe
2512	Mdmnlj32.exe
716	Mgkjhe32.exe
2216	Miifeq32.exe
3584	Npcoakfp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Imakkfdg.exe	Iejcji32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bgpmhl32.dll	Imoneg32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ibnccmbo.exe	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Iehfdi32.exe	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7928	7836	WerFault.exe	305

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9c32e4b109895ec88f3b7c38b3a4fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2576	1732	a9c32e4b109895ec88f3b7c38b3a4fc0N.exe	84
PID 1732 wrote to memory of 2576	1732	a9c32e4b109895ec88f3b7c38b3a4fc0N.exe	84
PID 1732 wrote to memory of 2576	1732	a9c32e4b109895ec88f3b7c38b3a4fc0N.exe	84
PID 2576 wrote to memory of 4900	2576	Immapg32.exe	85
PID 2576 wrote to memory of 4900	2576	Immapg32.exe	85
PID 2576 wrote to memory of 4900	2576	Immapg32.exe	85
PID 4900 wrote to memory of 3924	4900	Icgjmapi.exe	86
PID 4900 wrote to memory of 3924	4900	Icgjmapi.exe	86
PID 4900 wrote to memory of 3924	4900	Icgjmapi.exe	86
PID 3924 wrote to memory of 2672	3924	Iehfdi32.exe	87
PID 3924 wrote to memory of 2672	3924	Iehfdi32.exe	87
PID 3924 wrote to memory of 2672	3924	Iehfdi32.exe	87
PID 2672 wrote to memory of 2112	2672	Imoneg32.exe	88
PID 2672 wrote to memory of 2112	2672	Imoneg32.exe	88
PID 2672 wrote to memory of 2112	2672	Imoneg32.exe	88
PID 2112 wrote to memory of 4192	2112	Ipnjab32.exe	89
PID 2112 wrote to memory of 4192	2112	Ipnjab32.exe	89
PID 2112 wrote to memory of 4192	2112	Ipnjab32.exe	89
PID 4192 wrote to memory of 3548	4192	Iblfnn32.exe	90
PID 4192 wrote to memory of 3548	4192	Iblfnn32.exe	90
PID 4192 wrote to memory of 3548	4192	Iblfnn32.exe	90
PID 3548 wrote to memory of 4092	3548	Iejcji32.exe	91
PID 3548 wrote to memory of 4092	3548	Iejcji32.exe	91
PID 3548 wrote to memory of 4092	3548	Iejcji32.exe	91
PID 4092 wrote to memory of 2456	4092	Imakkfdg.exe	92
PID 4092 wrote to memory of 2456	4092	Imakkfdg.exe	92
PID 4092 wrote to memory of 2456	4092	Imakkfdg.exe	92
PID 2456 wrote to memory of 1512	2456	Ibnccmbo.exe	93
PID 2456 wrote to memory of 1512	2456	Ibnccmbo.exe	93
PID 2456 wrote to memory of 1512	2456	Ibnccmbo.exe	93
PID 1512 wrote to memory of 2412	1512	Iemppiab.exe	94
PID 1512 wrote to memory of 2412	1512	Iemppiab.exe	94
PID 1512 wrote to memory of 2412	1512	Iemppiab.exe	94
PID 2412 wrote to memory of 404	2412	Iihkpg32.exe	95
PID 2412 wrote to memory of 404	2412	Iihkpg32.exe	95
PID 2412 wrote to memory of 404	2412	Iihkpg32.exe	95
PID 404 wrote to memory of 2496	404	Ifllil32.exe	96
PID 404 wrote to memory of 2496	404	Ifllil32.exe	96
PID 404 wrote to memory of 2496	404	Ifllil32.exe	96
PID 2496 wrote to memory of 2328	2496	Jfcbjk32.exe	97
PID 2496 wrote to memory of 2328	2496	Jfcbjk32.exe	97
PID 2496 wrote to memory of 2328	2496	Jfcbjk32.exe	97
PID 2328 wrote to memory of 4988	2328	Jlpkba32.exe	98
PID 2328 wrote to memory of 4988	2328	Jlpkba32.exe	98
PID 2328 wrote to memory of 4988	2328	Jlpkba32.exe	98
PID 4988 wrote to memory of 4480	4988	Jbjcolha.exe	99
PID 4988 wrote to memory of 4480	4988	Jbjcolha.exe	99
PID 4988 wrote to memory of 4480	4988	Jbjcolha.exe	99
PID 4480 wrote to memory of 3620	4480	Jidklf32.exe	100
PID 4480 wrote to memory of 3620	4480	Jidklf32.exe	100
PID 4480 wrote to memory of 3620	4480	Jidklf32.exe	100
PID 3620 wrote to memory of 1804	3620	Jcioiood.exe	101
PID 3620 wrote to memory of 1804	3620	Jcioiood.exe	101
PID 3620 wrote to memory of 1804	3620	Jcioiood.exe	101
PID 1804 wrote to memory of 1928	1804	Jeklag32.exe	102
PID 1804 wrote to memory of 1928	1804	Jeklag32.exe	102
PID 1804 wrote to memory of 1928	1804	Jeklag32.exe	102
PID 1928 wrote to memory of 2760	1928	Jmbdbd32.exe	103
PID 1928 wrote to memory of 2760	1928	Jmbdbd32.exe	103
PID 1928 wrote to memory of 2760	1928	Jmbdbd32.exe	103
PID 2760 wrote to memory of 2312	2760	Jpppnp32.exe	104
PID 2760 wrote to memory of 2312	2760	Jpppnp32.exe	104
PID 2760 wrote to memory of 2312	2760	Jpppnp32.exe	104
PID 2312 wrote to memory of 2524	2312	Kboljk32.exe	105

C:\Users\Admin\AppData\Local\Temp\a9c32e4b109895ec88f3b7c38b3a4fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\a9c32e4b109895ec88f3b7c38b3a4fc0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Immapg32.exe
  C:\Windows\system32\Immapg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\Icgjmapi.exe
    C:\Windows\system32\Icgjmapi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\Iehfdi32.exe
      C:\Windows\system32\Iehfdi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        30⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        43⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        52⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        53⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        54⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        55⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        57⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        62⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        63⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        66⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        69⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        70⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        72⤵
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        73⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        74⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3812
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        76⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        77⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:668
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        79⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        80⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        81⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        82⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        83⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        85⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        87⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        88⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        93⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        99⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        102⤵
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        105⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        106⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        107⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        109⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        110⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        112⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        113⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        114⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        115⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        116⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        117⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        124⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        126⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        127⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        132⤵
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        137⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        138⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        142⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        146⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        147⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        148⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        149⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7032
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        153⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        154⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        155⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        156⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        157⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        161⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        163⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        164⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        165⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        168⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:7144
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        176⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        177⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        178⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        179⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        180⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        181⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        183⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        185⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        186⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        187⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        189⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6952
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        191⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        193⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        197⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        199⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        201⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        202⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        203⤵
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7492
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7596
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        208⤵
        Drops file in System32 directory
        
        PID:7644
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7704
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:7836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7836 -s 408
        213⤵
        Program crash
        
        PID:7928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7836 -ip 7836
1⤵
PID:7896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgpmhl32.dll

Filesize
7KB

MD5
5509d53835f85af0f0a822b149ec0d98

SHA1
cdf2c0fbbb011aaeba8b2d68456a208aa53bdfe9

SHA256
6e2d9d8bc9e0b5a07443d6b8eb18a2472521d1692be5f4f51523264a8a52933d

SHA512
d2bdebf23f81c515be100d526228c6506402016c92f5a4ff7b6c2617d2662cb542ce8e1b3cb0933afc4f88ac46298b62d7f38d95847a57b4bf8f315c236537e2

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
128KB

MD5
258172af810ac3a17dffed61539827cb

SHA1
e86f29a7a040a6cc640d7fe4b1db13671fde736f

SHA256
4f4ae490a4ad653e79a826211e987d20b079b9da53808ab231969b75fac1b99f

SHA512
1ada43e998dc4c8fadb5603e074b96bed1c0ace46edea9d85f2ab6512a88c80fc372b8548673ad4da16c55a3183506e70d6ee4dbadbe69a0d26e6ea651c0a042

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
128KB

MD5
272c30f984c647e695934e252c836aca

SHA1
609d0d3f942b03de7743d77d007ff576fa4963e3

SHA256
74a2bc1edac3301b33c0a092087221073bbbfe7b7644fb81f343ef658c3e8e93

SHA512
eb9e2972eb93fbef5beffd5cb91299909b14c26a8f9c3f298f662022b89c8f76ac354091bf5ff9aafa1bdcd80a46fdc5c5731a8c85cdf1ceaf9a3f1d6833981e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
128KB

MD5
d893b778b627b1e8662acdc257ce70b3

SHA1
3f3e540453dfb210ec144ccce094fc447bfa5ca5

SHA256
c726957e6786d42d278018d788263df386dff8307bdb777ea77729c4b944313d

SHA512
4508bfed7d3ed4ebda59c0e52463784732344379bf9af52f9b3257b73fbcff1c5b094224d9a2c4334eecc769dd0f23565edcdaa8cd38d4410f935f27a3d87c7e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
9e1b51e9429f60b31fcc918df4ca7851

SHA1
ace1a776357d1c29b88a10ee42073ce82e9de917

SHA256
41d9be388dde65d5a3836db87f41b68b88b777893872bebe1b946c902afe7e1d

SHA512
892072d02f9562c6be23a6a55602e88714ad316085ae9dbce17530973026b07c9ff1d56277cf5c9f50aafe195b33c8539ef065afca16fb7b82e2ef607febcc3e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
128KB

MD5
92507007e1657c31b77247381a9cfef2

SHA1
d6c74faab9ddfbc661f85dd921c65b06f99e1518

SHA256
e1ed047ea2457cfb4f6f5a7b05ced6044985a4ae563e8e1a933789503810fc4c

SHA512
09475baab21e8bfa554b9095adad57f992464802d6d1842418094495ff1fc6c1472eeb93db53482fb776ecffcc241e8b9b9db471d27d5f117944b8bffa309555

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
128KB

MD5
d785530de42aa1bb23b4d47df3485cbf

SHA1
95586ab80fba68335953836089f5be2df3fadca1

SHA256
a70a75409b9db5469af68b165878ef4a8608486942fef2461d6e5da547192024

SHA512
8e71c4fee6009239df93751b70fb07404c9690f605a9704fe4b9447f905cb1a2ff77c73cd1269a06d20278962e7521984785e387225cc7c2a8b0e92477bec141

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
128KB

MD5
5cbb31466599b26b1cba2dc913a80e5d

SHA1
f7533487fb56d0dbb9ce6061697056fa3dd116f2

SHA256
fd953d5ac68b657d5c8387dab7e6609d375fb20a6a4af7f06339aea3f9f77ec1

SHA512
ea9edf5bc00be2542719926d684f00d6a2c2db4e8ae61579377a28363c03b52994ab83325a224b87a9d47235ec268581a1d7462757afe10aba719bb5cf1dd044

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
128KB

MD5
30f2df35511cb33db255fd76bf0db478

SHA1
30acaf6c9084e1b7f940853c3cb82dc188ff1a5a

SHA256
8fb44a625f8b3486a829b2bc6ce8759ab1924628386e3bf480667225dd7ed116

SHA512
c8c923eb5bfbf9d94715c3177126b78083e4df0b762fba47ad91ff7025e74b0c5a0a9a87d4696f0028abe3595abfb93bd5806c963ebcf2927759f76ce6ce5b3e

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
128KB

MD5
de743d3e87e92c29bef13fae65c8a4a8

SHA1
6555e2d29c47b8641232bdd130f06bc82c9fcab6

SHA256
d35f382c0535a1ff9274f2796938597da5b33bd0d5de6128f1fb5128f382c202

SHA512
23cd70655ed41f6c8abb8b03fffe31a5b72bb304df9f4069ab13c5a80b1f5fdb90fb2a06179fa81cfb33ac3e86952962fa2e108548e2a492209dd93bb3dcaaac

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
128KB

MD5
27f237500ebb67ef54e2bcb04e5d8a54

SHA1
0f260c747db853c68d12107c69ae8a77d73b0dc4

SHA256
ead45440d662ecc3e1a2b1883e52f2eb41b8441b77a4c533f5482f5a8ea72b42

SHA512
9db21f7fc587c29a6e3cfd080b02b85ac4f107850e57107f68f19f62e2fd3a296787f10b2bd3cfcd89912e894fbf8e3c75d2c33350104e45020578a19d8d5b87

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
128KB

MD5
5dddcfba55934a920a9e4df45e370134

SHA1
9c975ec5f32a91e6f21546d7fe62d336ada09f31

SHA256
9df246af0d1db15b3fa33cb1a8b852965f69180cf6926dba9d0251a0ff77e50b

SHA512
4d75fce178dd78a54641824eac5bbf211d13d164251a65b97e2f046ad230a19a9d239ea77b2fcea5a0211998aea9eea2569c99ec91875a26d86ecac0f711219a

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
128KB

MD5
aab114f47486ea693b7895567411476a

SHA1
ccd70313880317dd7f929fa49fbbd7858290cc30

SHA256
0386abc4178bb8b6839129b34491be863be4377ef2aa10a7a78af85061a18a3e

SHA512
f81282f2a0cfae6156777adbb4f68cd590d1a57e6f80dce07be536932fff7cd7a32bf2700b02a8b508f5a8d861bb488de44fe3d13d163cd7272b6e6dde715344

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
128KB

MD5
e2b72ec7f3bddd1c466e747b6884b4c7

SHA1
66a71f93921828a81b93be41c62ebceaa9566605

SHA256
56e00e65da31b7513e223b75b19899ab58aa124522eda95b65ff740ac3c9beaa

SHA512
e62f96c3daf26c171c865b69c8b112d0a1fd949dd1ae7bde2c04e874e2d858ca779b581cea1478faf0d63ac1b6939627ba0926f5446092ac6ce39852055555e8

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
128KB

MD5
e754dc3e8dfc20bdeac1e1a333694405

SHA1
0d8c0235681ddef4b6b65761b21528d2c6e1e814

SHA256
4566fa36f4738ab9d6f43a44436da2e2e222edbdf431ade2c4e0caf7c3bfc119

SHA512
fc87120994a812d74bde98454634e7c4d529c1746d8d8787b7884cf739e1c0347347687b44fb4036762317b864c993ae286c74d47fb3927ebbdff0daf96a508a

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
128KB

MD5
2d44b997a1ca487de22836a171b4ea26

SHA1
39320185e4633bddc520f010984cabec3a5a9191

SHA256
50e84b7267a866956e80ec1de065bedb9b8416c9bbd9113407965eb48129ab7b

SHA512
99a3290a746210fae1e8ce17108d0a32bfafd0f6576c9e48ceb487ab8c0346de116d9cb3758bf93f2477002f864ec21f6e8dd06d3c5e97baed325106d3520bcd

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
128KB

MD5
33398ae93f6c450bcb46a57bb0f6227d

SHA1
2ac08171c6e2777d4a2af470423490447c52ded4

SHA256
3e6d6dfa1fd244820569b74dcd2252d1a75c0895b41fc7cd7215a87398f86d41

SHA512
d66c69cd55764508fec8558f97b5d9d23685ac1d78998af3c2a4225ff52ba3b621080a59e7fc4981bb3977939e5a3590c44c9d939612fc3bd2632ac1c2f8249e

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
128KB

MD5
c8d884cafe624ff08957104ff6464c96

SHA1
9661fdf0e864c76028db33dded5a7ef2332292aa

SHA256
47850e2c76a8feb63d354948c45da38c4a5f0061ffe23a6886679ae1fb7ff425

SHA512
1b9fdaefcb8495dfa5d0c53127cc4e02042a3f32660cf0b4b0c5510ef43b4c3194152638f0bf1edbf8a6f46efcfb3b8a58e4ffa7db7fa7a6509d7c56a75f6ef3

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
128KB

MD5
18ecb3c526082cc1d02160b4ea658473

SHA1
192e5dc07913c44dd3130d596bf2c75e986667d9

SHA256
dae677d270094f28294bcb809e24bbccc9089fe1333440e60f68409b86bcdecc

SHA512
617061b364aeabc22394cb82f794373747fe7c566ad988d44c561f361db7aec3394864454198fca1e6880745aa83b9975ef74974aed461571f3d0087b997772b

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
128KB

MD5
498561934235a282d58826ea553244e8

SHA1
9754cc25551e556fbef4893add2a4b9dc4241ecd

SHA256
002812a9f15870f58cdbea2bb9e686d31eb849d82a0f56ad14ae705ee0bc13b7

SHA512
7f05b72d30bdc189f5428457602e2bbdd0e368f1ef11a15fc2974aa51deef56759540d3c833739f699b3eadba6fcd85cc57379a906eb0aae8f51a6f87cb770b8

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
128KB

MD5
af24999c26a5ad0f631d336fcc998397

SHA1
92f8af3a7a749a6a81f21b193a3834d3e6c9ad9e

SHA256
03f3880a4747ba49341a73a45402cd4c5abbae2714d4d281846e2f05d064dfc9

SHA512
f283625adbc687ca27654971cc7a10e374635624d9d3c700dcdda6bab19c724d3a6ec36df0bf72a73cff221c0978e45fe55e77876911e11f607ef8feee1cc419

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
128KB

MD5
826a66bccf9eb016d6645f58068afc30

SHA1
c12a168ed196cb7c2833e537d9b2ab6e34d09f68

SHA256
a4ee28a083f9b17b1c8c6b83e65014353e05197d203c6d5c5032286d18257f13

SHA512
74e58184bafbef879c4f64437559d505c74158934b80d3899a6ebb3911601a46f6716d74668e70e4e8d6ba08ddf1fb5aced1304849f3b38dca6f2ff51feda539

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
128KB

MD5
c64b85fbe871106ec3bbc121ef393daf

SHA1
11a11e654cfe721302030e0c2911f2e44937bdb9

SHA256
44101b0ce8270e109624737d0d8d31f5705b86e23826e1be6a24ebe4ce496297

SHA512
ee068218c993faacedb9bc71cfbcd9868a2bc630067def739509df92a049f28d203c087511dafd056380a7c3ec43330020d4ff9a104e332b7f78683349b74e47

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
128KB

MD5
ec7b043c9692da827fcfcaf184f50e3d

SHA1
209600f24d96b15cc4938ee53b5c868744781828

SHA256
02dd1eb874dad010f7f447a5549739dea6da85f13662d52ba3b5aefc1757c3b6

SHA512
65f2d5f299b12ccc5cdb2f311b69f8d48ac0c64a95c618709077d650f2edd8846887a3bbd9e79bb1514d700fd1df8dec937be726cca641c9c0fdb40deb068fe9

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
128KB

MD5
b93ac7b18d28b9679966e50bd05abd9a

SHA1
4fa4abc350fa2a72063fc64ae8b6dabfaa0cebff

SHA256
8f082aa1ab435344dac43ddeb148b7d579f8bf19edc4268b608b2961c21c304e

SHA512
1f7212187159cae8dceb1513a745d55b0e20a5d1400bc9c72e82e5f3df7d92a68d7257c6924ed8f8648b85098115d97def3ac8ec18f69773e0a90c5246971e42

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
128KB

MD5
b6257fa3dad0bf3ff9759baf79706232

SHA1
39dd8d6ba7f39bc2605de297084933904e45d216

SHA256
0721fc11f811ebe9a21d8f77204272269856c7547f6d4e512d86f7a7d07c1198

SHA512
1676d20a5f6e2270acc6f8e55daedfbd417e9383c68f427c89f02c07f8cd17e56a5a6a26d69b3c4f99b3ae62f88f4796860bb49a1b27c96b87617bc4e57ce76e

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
128KB

MD5
24ff652c785d5f44498757b238afea8e

SHA1
2361e51ed00141cd9728d95e7bd149bcd62539db

SHA256
d9d42bcc4ff40051cd87b9dc64be7844bba5e10d271e7bf7b51e624d87ab7a09

SHA512
d94c619dbf2205f3fba073382db28d227eda497de25d96e077c51cd2e7278101130c6650259666b5d7ab31e109cb109ac8fff2c354381b3d4adc660b7ada2066

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
128KB

MD5
d54aee9054849b29d8273d6c0e3cdf17

SHA1
0826874ca3f023dbfd9f0e72b978d8e4081f25dd

SHA256
a5da5909cc829536bfc2abd086ba171206422ab48fcd64a8449de620aef5fd5b

SHA512
401aa09b5640e56d03192dfb512a34d491ec254fd3abb376ba29fa8330f0a27d883d1b9bb19e5a63a326600654f7038a86c2e212eb92692f0ceb48f898dd6cfe

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
128KB

MD5
8f787f823720ad832942df91e9de8d16

SHA1
4135a6437a774f291281edb1fa73a5254c521bfb

SHA256
dde4204dd217bce2c63741e4af3f16d9b95b06df51926c0ff6cc854342a3e1dc

SHA512
fbffab2810b2822280c06aabeb7ed047d236fce6218d12ecbe2969a0828e76ad166ae69dc8050623a0835caebc36d34c9d0f224ad5299c3d36aab1edd89542a5

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
128KB

MD5
f4c3d9f932ecaab9782077c13560b06e

SHA1
09236c59a0da444b3bba350936ff6debd5161458

SHA256
6095440cffb1a51364b324501ca17548751ed702b898709fd8ccc6660a912dee

SHA512
b327c849d148c1e47821c16b571bd5b9776b5aa0fbdb21ea82866d91ac969819a97e151ffa7e12687a96566d4b71d014663845e64dfc3d51f475f4a2f25951cf

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
128KB

MD5
3adec5cc4121627991f01dc997aeaee2

SHA1
14f115bbbfecabc87d624258634afa3fca727869

SHA256
0c6312c6793512229c6f858cd3b897f8eaf2f117f40894d5fa57f50ea4ae9142

SHA512
14c09fd97ea127b9b44c1f2bb6c69592dbbc5807cb79f41d6afbee46449a45673e19a606b2fd6f04c9022f0c744590f9df072ce73a12db7bcc006fed7f3e1034

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
128KB

MD5
3abfa10958f7b3659df26cfc69df1129

SHA1
1d760acea0c4e984b33b22ead86caa690966b158

SHA256
f86e5eab28f051e6ca94dee27b914eeb12e1801be5f14ec746d25d692c3894fe

SHA512
c1586173b06e022e43b1db24b117c84230a0658017b03e1e7f834c1c87a25d085e231148b4dcf381354f6e204385df885f9df4a8cc410c06650facf3ffb5def1

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
128KB

MD5
5803e93a15c56cdf30439e471090ef9b

SHA1
9e88d073a8710e5580ef5540932c0c4b884145f4

SHA256
1de7010583cc8ca4b84fc1728742e137f74b16b31202e4cf44a268a9f5cb8bd2

SHA512
b5e986e94c8b795b60b7509cbf663e76ccab49218ea6b00facc2a6e769bf15acf2dac4f02c761ebbe74b447e96a3906967056f3d45c038ca1a456f91869ac210

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
128KB

MD5
0b8f9984e8717475bee77e13886cafe7

SHA1
5425de287c82132e4c146aaabcdf50c55a5bc060

SHA256
37eb161ae28f946a7eb0ca9558b12256a42779de42fd41dfd23ae6f3c31490a3

SHA512
57fd213d4f32f2b3ca96d4891ed955330fe771f690b2f1c70970b375aa2048425556dc7f258247f305ce854e914b80fab36de20f64cbd1639f7e94a9fcefa963

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
128KB

MD5
05dbbc16a7e08da233756e9f9fb21d27

SHA1
289d2196821774d353cb8b3c896530986a9b061e

SHA256
9162a77b6e19f5b5ef8e89e7f1c60526c535f834c311269ec7acf8011cef0557

SHA512
3b87a26b01b7cfa3772dc1268b606e88ceb461e4222420728ade46290b5229842f0cf1e45d102f938376e18a3271f10de81114e385dc079bb1673c6a74da180d

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
128KB

MD5
9d0cf1cc035f3bd037ce0f7728c29811

SHA1
3866262934ed7dac388ea6be88758ff7856ef05d

SHA256
c7199d3d91a3176a692700df1e1755abb72a6c8423b87856506987ba6205c689

SHA512
10a937861130b35c85e6a374040de614741a832bbacfe5988492f671d910cc25bea8ea6f188c8ca46048ef3a8b5eb403ed1c336d20ad6eff8bf8b4091044b08a

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
128KB

MD5
271e7cc1bde4f828a44faf30e345c65d

SHA1
5f36ef2a2c5c8dc0543e6bf6564b4443480cbaf2

SHA256
7899d65375916704da492d53aafa42e8b23f2a76ca86901f453103bbc3d9e189

SHA512
a7b6b38efbb10c89288f796e23adef47e3a9487f1b6a7f1849ec7f4be207c634acbc028a5cb2215b7dcc0133a9954ca252ea42a3f8f14c2dc0faf5522cfe1195

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
128KB

MD5
06d3e440e899a0e5b3f7bbf2cb87d15d

SHA1
de6c7d0a8ab60ef603c7ba9fee8370e7c526db3f

SHA256
9fe9d3eb10921e93f24b407fe630a8cc12bf15cacb1e34e12198f5c69e9de885

SHA512
1fa0fe40cfe71ade5a19b568994120e1511eecfa4072f60add8e576083450efcd57efc1a6f7fb8ac2e05d7e40795bf05720d9f0742e5339375695aae24e9c153

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
128KB

MD5
0491e85e4f5bf1e5ca34e2e110f7953a

SHA1
dbd96fa905c5fc214e19eed5c35f8cdea1ac3caf

SHA256
3212967f36c00dcef9dc2b932e6a8543cfaada39fc9f0a6e5f67ffdc26d19696

SHA512
9e64c966494469362a37d1a834cc90211ecd03ea9e18ad7e1b04829300c8309c0be9d17c6ed715a575d60c605b46303d9e2e229b44be299cf50bf8a95f6e9274

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
128KB

MD5
a302ca17d644356c8b2ef224b6d7961c

SHA1
1c66f1f292e6f6b9adf36651f4bab02765621470

SHA256
9437c3875845b0f328d5d5994f5b96eed72ae38bdccd7cfd241d716f002e8992

SHA512
9fc37e8cebbfceb53ac7ed4cf5d353bb007238f0176e0c157baf3403582d8fb38cc710677b749dc5b56c82a42e600b3d67603f5d1bb8f0027ce7c12ac2a5ff3d

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
128KB

MD5
b318906ae49004bbcc5e4485e5b81607

SHA1
b058ec4f023c3d2b909d1041c3d77d412986ccda

SHA256
ab9fc338293c4bd96789f99d657f07890aa8f827c5ab54dd73b2cce7e79bb3d9

SHA512
d93b99d19f417908914141315b3b701dd8e4bf9e0328a1d27e34d89463080b3d1fb53909f32bb00d9e8b4fafee24d58f4d66a5187c557e561af86767c379467c

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
128KB

MD5
9b7fe4c336595cc865aab5a622703c48

SHA1
5de7c56e4a22228e0eb658d403aa602c663f13a3

SHA256
9865858ae8a88b984dfbb22025dbb912c151962fcb11b0099d6ca9e7bf4f20ff

SHA512
5e1da80f87add5cbcef079a01d4fad45b0502630639f6fde141eee237ae41505bffa427a3b09b7c2dd2ce33f814a628622141a4c5d4a3f054e4623d822518a74

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
128KB

MD5
b87fd0ba30119fdaf9b4ddac7aedbac5

SHA1
db591dd6a44cb29db295da6a308a0ca2dedc9032

SHA256
f35d696778a664ed09198d33786ee9efea74bf97aa6a85bbf0e77cb698936d95

SHA512
905f91088db99bd44200506892dbba64b38a1fa35a9eff4fc10b61cd0e03840118bc434073bf431fd0898b64965279d794d285d68a832da16c3c3471f34892a8

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
128KB

MD5
6992dc943168361f84043447d745a50a

SHA1
bb57640ae725f28b35b2ff290dd7fbf88bb06b7b

SHA256
bc27a4e4829d6b1fd2b9da3ed49846c2ba04959f6aaec45056d2319fdf6f711b

SHA512
6702026a3a31834ba547598da7ad05d7e28359c25772ccda896a88d339173a842e19c601888416f43b95b603c8d9c6daf4fac925306fd65be33a47ef0a6d3b79

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
128KB

MD5
38f3c38438b289fde9d441e253fcae49

SHA1
2a9d0a1872e758699ca6fa16dbbea1710cae0c2b

SHA256
9454f1e9a10e156b5493f0a14af5d6804e9e61dc9cb616457c1f86acce8a4841

SHA512
d19a05773d38f376eec8632e1e7d424c8e06574a23aa9f1c5937148808fd3b2f0846726fb804069df05aaf54409f272fa48ae9ef7529b25da894408d6d5c30f2

Download Submit
memory/404-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1192-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1192-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1336-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1512-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-420-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1804-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2112-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2112-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3292-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3292-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3332-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3332-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3924-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3924-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4192-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4192-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads