3812001c79fba08b7bdf754713d8cb2ceb81d24bbb323c606a018e8a1cd2f041

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 21:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57ffb4027c7f5e1f0dbfd66958829af0N.exe
Size

96KB
MD5

57ffb4027c7f5e1f0dbfd66958829af0
SHA1

765815ea0fcf1f57c03c4c4cfff0633c30d40ffc
SHA256

3812001c79fba08b7bdf754713d8cb2ceb81d24bbb323c606a018e8a1cd2f041
SHA512

ba7f4077af8d84dec316b13edcc17f1f8a4729314efbfac5af3bcfe6aa8b1c3548d0a9a5722b52cf8b1b89464e7236e6affd63d980a6fa32a1f83f8bfeca17df
SSDEEP

1536:J1l4KhdGVnBcDPQTaARC2o0tCE4TW/t95oduV9jojTIvjrH:J1lThdGVnBIQTfu0R/L5od69jc0vf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe

Executes dropped EXE 64 IoCs

pid	Process
4768	Iblfnn32.exe
2560	Iifokh32.exe
1644	Ippggbck.exe
1080	Ibnccmbo.exe
2236	Ifjodl32.exe
3864	Imdgqfbd.exe
3360	Icnpmp32.exe
4536	Ieolehop.exe
4440	Imfdff32.exe
4560	Ipdqba32.exe
2856	Ibcmom32.exe
2132	Jeaikh32.exe
3456	Jmhale32.exe
5080	Jcbihpel.exe
1424	Jfaedkdp.exe
2632	Jioaqfcc.exe
1524	Jcefno32.exe
4292	Jianff32.exe
1664	Jlpkba32.exe
3640	Jbjcolha.exe
3332	Jidklf32.exe
4872	Jcioiood.exe
3848	Jeklag32.exe
3680	Jlednamo.exe
4772	Jpppnp32.exe
3208	Kboljk32.exe
1960	Kemhff32.exe
2012	Kmdqgd32.exe
3088	Kbaipkbi.exe
4072	Kepelfam.exe
548	Kmfmmcbo.exe
1596	Kdqejn32.exe
3744	Kebbafoj.exe
1380	Kmijbcpl.exe
1348	Kpgfooop.exe
4612	Kdcbom32.exe
3708	Kedoge32.exe
4616	Kipkhdeq.exe
2536	Kpjcdn32.exe
1156	Kbhoqj32.exe
2796	Kefkme32.exe
1604	Kmncnb32.exe
2692	Kplpjn32.exe
4896	Lbjlfi32.exe
1616	Leihbeib.exe
3936	Lmppcbjd.exe
1488	Lpnlpnih.exe
4036	Lbmhlihl.exe
5044	Lekehdgp.exe
2928	Ligqhc32.exe
3624	Llemdo32.exe
1728	Lpqiemge.exe
856	Lboeaifi.exe
2492	Liimncmf.exe
3940	Llgjjnlj.exe
4972	Ldoaklml.exe
3696	Lbabgh32.exe
4420	Likjcbkc.exe
4524	Lljfpnjg.exe
2396	Ldanqkki.exe
1912	Lebkhc32.exe
5060	Lllcen32.exe
2528	Lphoelqn.exe
4796	Mgagbf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Iifokh32.exe	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Iblfnn32.exe	57ffb4027c7f5e1f0dbfd66958829af0N.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7524	7440	WerFault.exe	291

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcefno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqkei32.dll"	57ffb4027c7f5e1f0dbfd66958829af0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4768	4180	57ffb4027c7f5e1f0dbfd66958829af0N.exe	85
PID 4180 wrote to memory of 4768	4180	57ffb4027c7f5e1f0dbfd66958829af0N.exe	85
PID 4180 wrote to memory of 4768	4180	57ffb4027c7f5e1f0dbfd66958829af0N.exe	85
PID 4768 wrote to memory of 2560	4768	Iblfnn32.exe	86
PID 4768 wrote to memory of 2560	4768	Iblfnn32.exe	86
PID 4768 wrote to memory of 2560	4768	Iblfnn32.exe	86
PID 2560 wrote to memory of 1644	2560	Iifokh32.exe	87
PID 2560 wrote to memory of 1644	2560	Iifokh32.exe	87
PID 2560 wrote to memory of 1644	2560	Iifokh32.exe	87
PID 1644 wrote to memory of 1080	1644	Ippggbck.exe	88
PID 1644 wrote to memory of 1080	1644	Ippggbck.exe	88
PID 1644 wrote to memory of 1080	1644	Ippggbck.exe	88
PID 1080 wrote to memory of 2236	1080	Ibnccmbo.exe	89
PID 1080 wrote to memory of 2236	1080	Ibnccmbo.exe	89
PID 1080 wrote to memory of 2236	1080	Ibnccmbo.exe	89
PID 2236 wrote to memory of 3864	2236	Ifjodl32.exe	90
PID 2236 wrote to memory of 3864	2236	Ifjodl32.exe	90
PID 2236 wrote to memory of 3864	2236	Ifjodl32.exe	90
PID 3864 wrote to memory of 3360	3864	Imdgqfbd.exe	91
PID 3864 wrote to memory of 3360	3864	Imdgqfbd.exe	91
PID 3864 wrote to memory of 3360	3864	Imdgqfbd.exe	91
PID 3360 wrote to memory of 4536	3360	Icnpmp32.exe	92
PID 3360 wrote to memory of 4536	3360	Icnpmp32.exe	92
PID 3360 wrote to memory of 4536	3360	Icnpmp32.exe	92
PID 4536 wrote to memory of 4440	4536	Ieolehop.exe	93
PID 4536 wrote to memory of 4440	4536	Ieolehop.exe	93
PID 4536 wrote to memory of 4440	4536	Ieolehop.exe	93
PID 4440 wrote to memory of 4560	4440	Imfdff32.exe	94
PID 4440 wrote to memory of 4560	4440	Imfdff32.exe	94
PID 4440 wrote to memory of 4560	4440	Imfdff32.exe	94
PID 4560 wrote to memory of 2856	4560	Ipdqba32.exe	95
PID 4560 wrote to memory of 2856	4560	Ipdqba32.exe	95
PID 4560 wrote to memory of 2856	4560	Ipdqba32.exe	95
PID 2856 wrote to memory of 2132	2856	Ibcmom32.exe	96
PID 2856 wrote to memory of 2132	2856	Ibcmom32.exe	96
PID 2856 wrote to memory of 2132	2856	Ibcmom32.exe	96
PID 2132 wrote to memory of 3456	2132	Jeaikh32.exe	97
PID 2132 wrote to memory of 3456	2132	Jeaikh32.exe	97
PID 2132 wrote to memory of 3456	2132	Jeaikh32.exe	97
PID 3456 wrote to memory of 5080	3456	Jmhale32.exe	98
PID 3456 wrote to memory of 5080	3456	Jmhale32.exe	98
PID 3456 wrote to memory of 5080	3456	Jmhale32.exe	98
PID 5080 wrote to memory of 1424	5080	Jcbihpel.exe	99
PID 5080 wrote to memory of 1424	5080	Jcbihpel.exe	99
PID 5080 wrote to memory of 1424	5080	Jcbihpel.exe	99
PID 1424 wrote to memory of 2632	1424	Jfaedkdp.exe	101
PID 1424 wrote to memory of 2632	1424	Jfaedkdp.exe	101
PID 1424 wrote to memory of 2632	1424	Jfaedkdp.exe	101
PID 2632 wrote to memory of 1524	2632	Jioaqfcc.exe	102
PID 2632 wrote to memory of 1524	2632	Jioaqfcc.exe	102
PID 2632 wrote to memory of 1524	2632	Jioaqfcc.exe	102
PID 1524 wrote to memory of 4292	1524	Jcefno32.exe	103
PID 1524 wrote to memory of 4292	1524	Jcefno32.exe	103
PID 1524 wrote to memory of 4292	1524	Jcefno32.exe	103
PID 4292 wrote to memory of 1664	4292	Jianff32.exe	104
PID 4292 wrote to memory of 1664	4292	Jianff32.exe	104
PID 4292 wrote to memory of 1664	4292	Jianff32.exe	104
PID 1664 wrote to memory of 3640	1664	Jlpkba32.exe	105
PID 1664 wrote to memory of 3640	1664	Jlpkba32.exe	105
PID 1664 wrote to memory of 3640	1664	Jlpkba32.exe	105
PID 3640 wrote to memory of 3332	3640	Jbjcolha.exe	107
PID 3640 wrote to memory of 3332	3640	Jbjcolha.exe	107
PID 3640 wrote to memory of 3332	3640	Jbjcolha.exe	107
PID 3332 wrote to memory of 4872	3332	Jidklf32.exe	108

C:\Users\Admin\AppData\Local\Temp\57ffb4027c7f5e1f0dbfd66958829af0N.exe
"C:\Users\Admin\AppData\Local\Temp\57ffb4027c7f5e1f0dbfd66958829af0N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\Iblfnn32.exe
  C:\Windows\system32\Iblfnn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\Iifokh32.exe
    C:\Windows\system32\Iifokh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Ippggbck.exe
      C:\Windows\system32\Ippggbck.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        24⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        26⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        30⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        34⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        40⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        41⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        44⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        45⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        46⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        47⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        53⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        55⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        57⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        62⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        64⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        65⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        70⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        76⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        78⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:664
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        85⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        86⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        87⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        88⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        92⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        93⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        96⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        99⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        102⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        103⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        104⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        105⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        107⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        109⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        110⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        117⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        121⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        122⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        123⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        124⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        129⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        131⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        133⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        137⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        138⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        139⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        142⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        144⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        146⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6408
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        152⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        153⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        156⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        164⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        165⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        168⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        169⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        171⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        172⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        173⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        177⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        179⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        185⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6700
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        187⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        189⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        190⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        192⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        193⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6560
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        195⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        197⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7264
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        199⤵
        Drops file in System32 directory
        
        PID:7308
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        200⤵
        Modifies registry class
        
        PID:7352
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        201⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        202⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 412
        203⤵
        Program crash
        
        PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7440 -ip 7440
1⤵
PID:7496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
bc67389f715b16fd6cba0656bee6c369

SHA1
389e6f29d80ca8bcf7b0a6428139b970402d2cc2

SHA256
02bb01031c4cf69aca1d705eefab6d509bf279c75e74ed4d9b20a88f713aaaa7

SHA512
bd380451f7b1b7e8139eee8a488cce90cd1c890be25f7980b60150acc163c45cd770e0896143af92f69b72d6aa0fdf2021771a5097d755388720bb2d95b2a6e6

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
c76a5cac5425677291dee6773db3b575

SHA1
27c04cfd755215ddb6a831499762ba9a6b322a92

SHA256
c814f36a402194dd29e690fde03b24e94c2fe7550bb1faf89f47c547ade5a5f5

SHA512
a7160713b912cbc3b4db6cde4ecade34533a44f5be59ff5a883f28925a2b9abfab3631097c9b1030b0143c473713f50bbe67826334be98f698c5eb75ffe2a2a7

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
9a4b0c18b76802c697e829fb98f0f702

SHA1
0c838a0534a62bf4b4acfa4e3921267807ef6e7a

SHA256
cabbc2e24a85d25d57a98fd9a66b4bf7ebb65f623ebd36cf489a35f09d64b5dc

SHA512
ebeeb40e8d0e31bf0726a59e9cfcf380fdeee931596d3714276a554b2b6066ec83f342d6dd3d0e24edc76bcc1b81f58d1480c3bd1766a4b96a2cced1e0da7f3e

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
f749841fc226a5f3d0a2222e5f8b4768

SHA1
e54a4d182f231949c923e78d7c42404566943acd

SHA256
e3b3efd395c901048e83759ac6115720a3bc187332d2efb50f5f04adaeffe00a

SHA512
1a5331cd75c2d81053e681ffe0de0a5b595e4f2ef00bc237fda2f48de151ea14354adb1adf3ae87e34c97598cc01dce850d81f2f540ce387932b999e02e3c3d2

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
579fe29cc567230de5e322cc2ed168e7

SHA1
a20172cc86ad999299095843079e3723c43fb0b5

SHA256
011f11530d9b91f0337412417e9629334d25d2cc925ca3b5d8aab6a0d0e66178

SHA512
586ff7dbcb0361dffcd01f105c99861f19b5de3b32fa3828ab500aab66efa3ab1da6dcdb03bc0737e794c869a94e0b6731566a0d1f3a4a8f15c59910c269bf0c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
d16dadbfc5b2c504e87df7c5f906d24c

SHA1
ec4ad90413821911b06ce40142368613574be8d1

SHA256
6b4920f147213fc0e51e25b03ad3ee7e37ea58c3c818a8b7af7f2c93ec4d4956

SHA512
5120c78fe6c20da6515747d9d6297cf104cb7ea6e8a2c9a7bbe5fb8af8c9a9211c6da40690b2a481a7de8fd12b64cf5b0f097efbe91936e19ea4e8bf54c8e0fb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
74b6511abf73c7147088fa04b78cae3c

SHA1
22aa23ce28c271fded27a5af9a920ce8a4233450

SHA256
ec30c57397d88863f86cfe5c3f95469312d728624f6e7209c67d3e3ed82f9852

SHA512
b0b3859c875eeb9a42349443730cfbcabba588973e70dbe5cf9d7c52cc9a5ca80f8c60cf758fa22b4b759238e0fea392891dbdb564b0c291d86b874a06d96cd6

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
b7471221c9c4bb18258011a579d507fc

SHA1
5755bdb23feae9d9450a97728561c29e60752b0f

SHA256
e72e92c8238e33f1af1362b53e326c85574d665921c96cc533b8f3500d1fd121

SHA512
3480d56e9a9ad4cb084898459a97e6aed2e031f45ccdae51adfe4f84e0c90755da59ceed01c0f6a22f44cb5714e35c0257244282b42e9da33bc1cab44b4c443b

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
96KB

MD5
8a005958339522d74f59d483a7788dc7

SHA1
a7b7149b2ccb96224974965d22cc49ce5ec2fbe1

SHA256
375620e25161484a0e8042c26d3bb08a3b4cc92dea069091f06266257ad0d4d1

SHA512
81696d94266d97dd7add64f46272e0f5e43d7acdb61972b1366fe781492feecd75dd6295323683224067be8a50c7c5df2017ac4c7b4e2c9848207bbd1fc51ed3

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
96KB

MD5
1bef47956cd2583a16136f0206c1aa05

SHA1
635c4e08ed62f5482408edb8549c2cb18fabb432

SHA256
3d8caac5ab3f8e4761deb552af2d31257ba7e6d55ff478707302ea4c43ca6fff

SHA512
de0ab8ae48d6c50b71c55d52e7606b2f9c9e6a8f70439c7282a96033ee4b2df1a828a515ee3726d69a6e883276acd352589d35c5c2a64e3346524c9c794e7499

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
96KB

MD5
70bda463ebd69b2ad4777ac32aabf640

SHA1
82c1863e6568c255c01bec064c6a1d0b441d04ff

SHA256
d4f881b1c7649516004ee072b6caa1f1a1a543f3d144ed5984c33670ffd71e41

SHA512
d65ee175bd9306095bb2a4b6bd1275e3d8aa9bc435e2681dadece463ddc04d9a3a28157999f3c8456970ac74fe23828f9f1edff0a6d850e80ec6b563d93ef48b

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
96KB

MD5
ae04b90810b23091c84dc76c34720309

SHA1
c59603646bdeb59c22e088f27d1359334970e5ef

SHA256
e2be930065b1fe72e45c84b5ecf01311028099ee69bc1928749b757e82f834cb

SHA512
cda2c44022feb71bf0e5e3c1d6870124d1201988f786ed360b6e3ba5219c34439affc1053d0c5e02003e75b5921b4f74d3045328b6c92c79338b8ee82fd90e27

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
96KB

MD5
1d356afff0b50293146543fd8ef5af7c

SHA1
1166c5231303fc2bed90631d17705871d171bf28

SHA256
68e6b5381f83321e46803e4d7f2e37509c437fbdc12a673ba306699b1d446868

SHA512
5ca9c84a137a2468845039b52786cbf12886cfdadc55e2e652a187be6fedce83f5b279e86b1ecefe8e4d9254b1dbf2497dd9df6718970144eef2c1e6ef108849

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
96KB

MD5
093ceace5cf73d94249290d4a68939af

SHA1
19296273706f23615441b3d021ce98b59ed24db7

SHA256
9c0efaf82c909c50c0ec3393112e084d9f8944772e82d64045138daada5ba83f

SHA512
0b7ed59dc96f2ed43556fed0a56520e60e2b780ab87039c3cd30547d5b4a9d879df82253f74fefd21ecefe4f3a70847d460c5ce59e9c5020527f959815f89fe1

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
96KB

MD5
d5ad2ab573f0547b3df40459b0402a97

SHA1
646bc0a04fefbdf51ee24cf2fe271c3311f6b9da

SHA256
374cf18bef9c69f915459f4b286b806626141e80f250203cb084c386e5f1a5e9

SHA512
7c09d170fbe4f604a6123990e6cc54424bb6d0a142a50d754d7c86de4bcb1a67868ef1a66b9a9ef452024537e512c8d8ab60c1adbabc2c13590d6514db084989

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
96KB

MD5
2a81cba7b88d22e41d445e1971c59c90

SHA1
05a960424547537adce7f30ad628d479a6503b83

SHA256
16cc875da0b73d3fda37f7f657ee51484f076b8934f343a2944ba20479838efa

SHA512
1fe2746e54ac38a9c7a228262a9d34b74c4dd5fcaf448ab9e2f74a3b1e89742efe452a7b24e4fa451a578aaefe1798738a79f048846246ea55feae072e8f5df3

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
96KB

MD5
2b2743da06ab6971b374bc3a31fd27d3

SHA1
ca64d3b49020467753d52c3d98db294d5da5f776

SHA256
c983308456f756a6831812718ae87e0de032df167a090906f2638b966fd167ab

SHA512
e89791304042a04f252056dfdf6cabaec320dcb7f151dd9e4aa1044549b5973d0ce07565dcbf98e21fd48af88910f2af9a080cd6a42e5f6ffc31c2601a94380c

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
96KB

MD5
435c1a5796b89d99d42b4667d8be64b8

SHA1
bde684ca8378e23e0f4a52bcc4e5c09d64d0a35d

SHA256
2d6b912646a74adeee2851fd08e1f3f66f33172ef933335b2fdfb1db27e69f32

SHA512
023b503e6b9e3fb0330394fed827374c9d3bc056b5e4248c0b789ce9a01aa7990cd40c437961ea3737d2f4e5e887c2ac960512510e3a80c435eb09cb0e0b279f

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
96KB

MD5
871fabb0d32d39c16c153e2077d1f6bd

SHA1
1988a7eab3cffa9f9909ce65b44648d26d597788

SHA256
f1d626959a9f6e717731190ecd68d6e04f31d48d3e754565aa30e145d9b10917

SHA512
22f9cc3ccae8df6e274b46e79e338651b2f265132489c5802c599c67811047df5a34e1eb92fb580db43378f1a904fc4d2897bbeeffcd25bd21ccdaa99e6c9bf1

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
96KB

MD5
f81f4f1210b9f25867f684f3f873e472

SHA1
660dedf5307133ab3201023a389378cfd66222d6

SHA256
ffcab02fa15a69df38414bcc0798a3c7d4812cb6b4794f6bdac7593b93e7d85a

SHA512
3263bb598bb6cb7997f410ec0ba95709d9fbacb782ce786b19920e84816010886535b741a0fbb10154b1ab7de59409b84e92414a4317f8e5740133621e842564

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
96KB

MD5
a4d209d67285ce63f982d4c66199db9c

SHA1
9a10146dd9e3b70826b1d598b9b8c855b303aacd

SHA256
d8ebfce24da084b777c69a6962d0508cb5566bf54900eae3539dd7aae71ba645

SHA512
0c5bcfc50e22756d51b3fc84f03890039e6971a6e3dadf9fb8898bea00b12c45683aa6e788c17d8c598154105419d0dc3f986207a506047d165d44af2d650b4a

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
96KB

MD5
a368f79c900e94eddbdc611e9b813c59

SHA1
b22d4287bc4734f90327957df34ae5de13ba0beb

SHA256
2157b2c3dabd1f6512a38f7467daa68b58e86a362cc9573a8e9816614faee710

SHA512
438670045209885fc0ef0991504c025e9b0565d3df6269842d696befd99b5e222b984ecfe53734bcf6d17fec5bf0c8199d01a51c4ded632c9281cad089d88562

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
682c713e35a6c3200c8d5de111760619

SHA1
54ab7ead8261845c8d0a19b218a338833f78a63a

SHA256
cf820d97ad9f095e07af7c981718d19624fc04cf36cd4938f707a4f045b6e134

SHA512
2121ad8715e6aacb2b082870b35689aae71a4fb83720fd3478101da066e324e90f277557463084243fbd927de17c851ebc084f2185f2a9ae70776bc7c544ebcf

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
96KB

MD5
4027e83ae537d67090227133f6108f50

SHA1
e461fa9122652586b16177e52efead24ff0cf57f

SHA256
4d3982ab9d9c5460992d63714ebd57cd8eaf23772642b5f588c19f0eb9b0aba6

SHA512
79a4e0c8512e20fdc37f885f0660a286bf5471d5dfa2ae858328bab4e306ee6a125a49a364af417cf0a3ec9791419c50cb32faa6c47fcf605be8b1db66bcbe94

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
96KB

MD5
541a5a1c52ef8f9190707ce4d6fe3a72

SHA1
14daf317be1149aa1b5fd9e3e6619dbd80c242a7

SHA256
fc8a06f404260707110297b2473c0d2843f64ed3bac5a81d3d1db1fe84324280

SHA512
2315047212befb3577152e8fcdfcb81a54e6c778040ca07a3204c11abdffbf2762c50fea6410f5c90a203a1387064f0e26a9948eb8f826b21efa435af195a626

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
dc66966e2209eda52e4b3d9ab8b6623d

SHA1
7b4ddebc22fc68ca67351fbcf0ebb555e817c560

SHA256
2d447f0f8c3d7e2efd1c8f93e38c550234452def2d81c920c08d370070e55517

SHA512
cc3c7ed5727461814949815733e18bd2695d38612213676e4fc9dfa6e8eb3739ff3e3cdd6479ae3d06a3cbe6475940079103150c13fbd3db6f0c12b57e8d291d

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
96KB

MD5
dcddf8c467ee06b6c9a6ee7e63557c06

SHA1
53302f591fed67316a1e306ac7f2490656ae89a5

SHA256
4b3748f77792703bd71389760c57cd78c1f9e53ffa6b0b6d0a95418342f6cc24

SHA512
a6713eda899ef9272d7057db3f7dcdf353202e294f941836ae29e2e47aff1ca5185287bce21fb0922c87a4f75ae7ab6026fa71b86e4f41ba3e2561ab35cc16c8

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
dfb32e8b6963b9fb8b53dd4a8a957b2e

SHA1
1859900dbd2f9cad8b547a9b2b4a539c4cfd0d16

SHA256
100941671f4cdf4bf2fd6f9d8ed796e8210f2717f956a5104a391bcf054884a9

SHA512
4d07b186e83ffb792d30f294e8bd00a36dd3bd2ceb08708b0ee054a65c13644879d05aba30987c8b5e91dc201e53e3c5e86ab7a68f8bcc48db82f7c699e85f50

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
737ba23999cef849c490c3cb0eb7a87c

SHA1
5d89037e1c10fae99515b87755a228f00e31d799

SHA256
040a7e8d1c913133930916372dae7c0ec3a29309dc34e0cf59bb04365db0c2a2

SHA512
067e823f2c4d6fc251b851665c2c9590ee3d10e4b65ca80a882d4d4f36cf532efe764744a51a2a4d9c098e5a9b72baea1a8166277e742bf4b641aa36d9ed39fb

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
a1ab339a9a9cce4335961e12d3a8f13c

SHA1
0509b5cad5ac565e6bff1dace12599b7e858260d

SHA256
a0dd3689e9bda54aa1d0dcd72ec2870a9c8e3ddc2bb96def08391682e45bdf04

SHA512
27320a4fa8235e0b4ab34bd1ecfb86e3876f65030c8f16422b690390b7c30886abc77e8d93d298144eeab34b00a8624dc1057642f1140bfa8ae4cf010e569cbd

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
75c12e25e2219c8800eb70b195a7d42c

SHA1
edc60336e88703fc4a0411aeb7cf2cb350a4eb40

SHA256
7b7a16bd3b0d94831b1531fea515510004d0585d122d0450beb455a686909626

SHA512
3a51ffec85204581d69f2f42320fa3886a4aac113901a4848b621b9941c68d8488986ba105f96d1f1639e8d7b38b2bdac0cc5bc7505257d36e17f27784cdd2de

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
96KB

MD5
1cf2fc18533c5fe0b3d3b7f079bbb534

SHA1
6a18fe424ca5c99586903b606a724fc097b83183

SHA256
0ff567bb63436f2868c809d2cab07bb4e0b6465ad5079dd51ae6c121e5d075bd

SHA512
20e9e65be91cc54ec537a72e13e50fa0cd6da03c6971231637a173050af14b0be6ef4ed4216cd723a554596ffc62f419266547901b454bda27566ba869693f06

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
96KB

MD5
10dd410a95d4613ff74a3db44c7547d0

SHA1
9dbb07701c666b071936a8bed2d2a871a14b1aea

SHA256
30c26c58dcd8d1ec9ef27b590539afd08f4fd7a67e6f3fa294b8cafedba85c4d

SHA512
72792ef5d0466b4af6cd0dcda85e686e3663ac01a5d0ed0042db52b794e39c67d33383ad7b0b596732c076c48a33058f6e03cb7ac6ff3adb3c538124167cd677

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
ad11c8bf04c135068c7a3b3a5d0bddb3

SHA1
5811966e103f8454f4264aa053db63a072d1a9bf

SHA256
c5613066c7100c1026bf7a73e5852b531ee3927dfe426cd2835fae0aec2a88f1

SHA512
0473d6fdd2487ad43d36b3af2b112a872d84687b48e6048361d32da2732378c8505c45e6b0639205f9bda64f2384d27597d68d068f8fd6f6d33993cee2a46957

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
1baa103ee4c1a2241818256728876e38

SHA1
adcc15169c91f43ced8c4a77e0007257858b1dd1

SHA256
bc0c4a6ac12b3f8c9f5f9550d36a5510d183b8ce5885fd09e6840eef6f9e6f8c

SHA512
58f28fb90aa6eef5ce4df12c21a9a6325e3370e07d8c4882c4edf9582ac2091581bf5396bbadabde71ef983ea1f8851e69aca59e27a5b38a15983ec5fdcec579

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
e48c36966d61b69271a3ef3f03833d8c

SHA1
00eadfe667045fe11801ab762fbc3f84c8547894

SHA256
0034f4a534e35f8460e0707eb28c802a219cf69cad591aa0f35d3334952c8350

SHA512
98c69d12665331a9622c576e69464f44115dcfff914a2da395e1a5f37a4414688c192927c8c9c518ca91f27762564ab5d436219812bb7dc91b6f4aeb7a4ff24b

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
5e16eeef79dde8083ccfdc14542fbab1

SHA1
d39e55772b3d55db4105db2251025a5a1c22f7b3

SHA256
83139c74583051a16cbb4ef6fcda9453124882baa1e582cb93dade9274511ae2

SHA512
406769bf6a55b0da4e57b9a46f9a8f35139f448f5d94e79b00686434cf808d6648e7d552740d35cf3a58a904eac55f4e4cd038584fbc56d53ef5525e94204858

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
92252f6c3d8eaac8b29296604c390665

SHA1
ead60e61126900daee8e19bf7a046bfba266010b

SHA256
be8087171d4ed2b57edd1d90abb1c906fe486e6060276fb87bc23096840fde08

SHA512
4ab7b4f72c2ec34f7910201b4c9436e6afb162452d59aae16422397b0612bd1b770d94ed2ed7bd7aa5b4ea2f5f822dd1013d1c84fa956d8c2b96b71ffe32a6d5

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
db1eb2c766cbd3e87b2fae69ef3f32bb

SHA1
ae33b6bb93881a59c66029e2a11b9dc239e542bb

SHA256
07e8f67a323715ab829dc4ca0bb661e11692354cbdec99e919b69b4f21466c55

SHA512
97dd9bb03c7ac7092c4b03b489728cabaab878614aa83a8fa00ed693aab894faf1d5bdfd93789388c1c8fb9a21cad120b0d0a7315752b9a0af00844dd00b1f95

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
584e480449a6dafadedfaf7b2205a598

SHA1
478efb85437bfdb1b01d0c20183b6f2b434532d1

SHA256
4aa69fd6da542218e2b7ea244592a9c5044a3847772e4b2bc646dd4cb967c86d

SHA512
718614a5f7de1402ebffd13608461bda35713e737c64f5e193a480cb4bd98cd66878a86d1d716a2c68e9fc4995f3388b6b95f338da779b0ff24f0e924ea1c71f

Download Submit
C:\Windows\SysWOW64\Laapnj32.dll

Filesize
7KB

MD5
35354bb8e59b04e317c8f4d44e5e7d0f

SHA1
48e8c9ff57a86a9296abc6338f19f2e426e61f99

SHA256
05d885836835a7ce455ed0568eed1934457354883d3f4e9eba8e00819d819ecb

SHA512
09f0f356fafa1e74a8e8e90e965f4d4ddcc7ec7db2aab10d7cefbfdc33fd32b41d05842391206150346914a7af5406a812b5f2ee9f962cad574cda07b397673a

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
0c32e2e55190950739565f55f0d83c95

SHA1
b0a57dfb80f699ac3fc36d874d65c4c519db9609

SHA256
16b6f4e6e45d80f6805291fec5930a9b65c44f0c901b2f8604ac876327f40a4a

SHA512
5b0f8156fe23fbeaf8042e7c9f315189dc8fc06919173d5cad22c9a4e6d3b99eac87ea682f95b30bcc0cae694a8e3faadb93b7d096a75709e0bb871f1f48ee4c

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
f554ce841ecae1155600828070ae8aea

SHA1
72975de17a1fffdd7ad76993a3a804dd0b43c786

SHA256
87a437bcae8c27111ff76fe146732deb6dc32ac018145cb9f1e5e25c37deb5e3

SHA512
e6f1b8598d9f60c786a7236a990b26809a91ef82c87d9a50be74d2ab81284f25a3ceb27026104bd964096fde4197a0cd45b1baac71b5004f045437a51195ad8d

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
cba3933090aec629aca3b9bf9d4d2315

SHA1
845329dcb33a0f7716cfd3cc18fe50f336be2f3d

SHA256
d8af2e8799dd8087bbb326d20ca33efd204a8638e00fe5caa39669c27d066f78

SHA512
45814e362358915897b4558f56e15bfabc8e277ec83052ec68010207e40847b8a5af8a5ebaf4b6c9f91ec656c0f20b5c9bda5e7ac17a808c3894d6e5354caf7d

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
823bbad58b9e549e367209e726b557bd

SHA1
cfd8c626f31359b74588ff3d2393cdff9ef161d7

SHA256
45eda0de826927c62e1e52d4964c332ee9e00867ca81b8b464848f510fb787a3

SHA512
ca8af660cd7cce2c80051b3ef5981ecd3101e878a4747ae1e2f0cee2a7528de6155fe36a418a810a9ad526b287a4ca80814328cd5915e8c759762f3a1afcc5e4

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
fa501934af65a81a1796ee50d76f29ac

SHA1
b0a276e5eae094584a0f5e42f3f897e41a1cbbc3

SHA256
451d3ca7deecbad2d1b28958ced60f5e83a6d5e2ef660cf59dcbf26b7d4b9a06

SHA512
b3b8d8ee4a5553ff140cc0d33bd5cfcd063bb3523a60f28331e70ae27437c1f660da9d9bda8ead699a35537f6582c16e1f2c6bf600201c3a86e01db8977401fa

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
dfe3e5906369f3c13b7c8ee7a02fef5c

SHA1
747e9d35304d0e3c0facc6d8f841e1c4a47e8c7f

SHA256
2fddb81891f2a2973ce28db391a56de1ed54f2d9609accdd625c4822c3c2ef1b

SHA512
7c81681f94fb5097c41fad159bc89295555ab60683921d0b3184f1e474a7575bc4875a68f1fb794e8c1d74e8955a443a0c802dbe21bff462bb41c617afb3ce15

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
4836404b3e801640e0f6ff6843fe10ce

SHA1
9fd261bb183d8b7bd443a0d39755d901dd03d0fa

SHA256
3321eb9ae4bbea03873ded06a616af54858a8fcc1964c4a9735c21d72e53c3e8

SHA512
01c8286d46f877c0f4a0c3917ffa8b4bcf973f0ffe0b762da2e7274c1ce241a6d6034f60138df5a2db34a4559ce0db2b4d0bc3f164cfa10876dabe41c7a760d5

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
ef2a5854e0997036ca448fc99b3c4508

SHA1
ede925f809a9da4a86d18b8a9be6136c25fabf38

SHA256
33369b43cec9e928b09fdf091c9aac07d7a5fc5b06292540e40eb3e5cd18c7f8

SHA512
d245c452bc25cffb16ebecb524f21ba62341a6fe0140394fa27c5fb2dd86f511d71d5d85ec0450a0b2decbbacba420623368c954e07e39dccdcc9f2063e648e5

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
05141ef01f74f430b78b1f9ddeb6e8c3

SHA1
fe3c1021f5583ce36bbc38647527cbaaf89fa163

SHA256
aac6f7ff4c5c50ae2f5f97255694f58c333b94579c87e5932560f6d348a86d40

SHA512
bbdbc3dce2d50185109f5da23305b3a8d00eaf0c73c2a3d84ea4a85921192c4649ae70b344adcd5344afe7970e0d3a6fe12051c6c9630211a6da9ca5b334e956

Download Submit
memory/388-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/412-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/664-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1380-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1664-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2492-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2560-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2560-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3088-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3332-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3456-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3848-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4036-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4040-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4180-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4180-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4536-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4612-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4772-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5132-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5184-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5228-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5272-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads