86f4e488cf4a2ae34fa06555348d32d63d857da275ca4c146985c26d4a9b7474

Analysis

max time kernel
103s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 00:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab2fb4a515e5dc511775c0d129e9b660N.exe
Size

233KB
MD5

ab2fb4a515e5dc511775c0d129e9b660
SHA1

998a5ada56ac4616b0e3caf3e80160599f119ec9
SHA256

86f4e488cf4a2ae34fa06555348d32d63d857da275ca4c146985c26d4a9b7474
SHA512

0bd95a569a51d83a155daab52fe6c7aeed2b9d714fc8145290b79374d971c08bbf6576adcb284d91df61e522eb51c57332294dd0489285b043f25220e1b66121
SSDEEP

6144:LUzU9dU1dqbxHDnj6OTfRKB3A4U2dga1mcyw7I6BjtCYYs2:vNxjj6U5WHR1mK7fVtXP2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ab2fb4a515e5dc511775c0d129e9b660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icplcpgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe

Executes dropped EXE 64 IoCs

pid	Process
1616	Hiefcj32.exe
3800	Hopnqdan.exe
1924	Hckjacjg.exe
3720	Hfifmnij.exe
3112	Hcmgfbhd.exe
4820	Hijooifk.exe
4692	Hfnphn32.exe
4780	Himldi32.exe
3208	Hcbpab32.exe
4528	Hioiji32.exe
3240	Hcdmga32.exe
380	Iiaephpc.exe
1708	Immapg32.exe
4360	Ifefimom.exe
2164	Ikbnacmd.exe
5116	Iblfnn32.exe
572	Imakkfdg.exe
760	Ippggbck.exe
3928	Icplcpgo.exe
2916	Jeaikh32.exe
4248	Jpgmha32.exe
3276	Jioaqfcc.exe
3556	Jmknaell.exe
4320	Jefbfgig.exe
1888	Jplfcpin.exe
4552	Jbjcolha.exe
4596	Jidklf32.exe
1972	Jpnchp32.exe
4444	Jfhlejnh.exe
2920	Jifhaenk.exe
1460	Jcllonma.exe
2864	Kemhff32.exe
3620	Kmdqgd32.exe
4864	Kpbmco32.exe
2664	Kbaipkbi.exe
1948	Kikame32.exe
2104	Kmfmmcbo.exe
2592	Kpeiioac.exe
2484	Kdqejn32.exe
4624	Kebbafoj.exe
1452	Klljnp32.exe
1928	Kdcbom32.exe
420	Kedoge32.exe
924	Kmkfhc32.exe
3980	Kpjcdn32.exe
4640	Kbhoqj32.exe
4772	Kefkme32.exe
4836	Kmncnb32.exe
3892	Kdgljmcd.exe
4576	Lbjlfi32.exe
4480	Liddbc32.exe
2460	Lpnlpnih.exe
1680	Ligqhc32.exe
4344	Lpqiemge.exe
2912	Ldleel32.exe
2908	Lenamdem.exe
5084	Lmdina32.exe
3292	Llgjjnlj.exe
3204	Lgmngglp.exe
1476	Likjcbkc.exe
2988	Lpebpm32.exe
4568	Ldanqkki.exe
5000	Lebkhc32.exe
1872	Lmiciaaj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Jeaikh32.exe	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Jpnchp32.exe	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Hcdmga32.exe	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Hijooifk.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Hcbpab32.exe	Himldi32.exe
File opened for modification	C:\Windows\SysWOW64\Ikbnacmd.exe	Ifefimom.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ippggbck.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kjqkei32.dll	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Hcbpab32.exe	Himldi32.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7572	7428	WerFault.exe	310

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hckjacjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll"	ab2fb4a515e5dc511775c0d129e9b660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hioiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1616	1300	ab2fb4a515e5dc511775c0d129e9b660N.exe	84
PID 1300 wrote to memory of 1616	1300	ab2fb4a515e5dc511775c0d129e9b660N.exe	84
PID 1300 wrote to memory of 1616	1300	ab2fb4a515e5dc511775c0d129e9b660N.exe	84
PID 1616 wrote to memory of 3800	1616	Hiefcj32.exe	85
PID 1616 wrote to memory of 3800	1616	Hiefcj32.exe	85
PID 1616 wrote to memory of 3800	1616	Hiefcj32.exe	85
PID 3800 wrote to memory of 1924	3800	Hopnqdan.exe	86
PID 3800 wrote to memory of 1924	3800	Hopnqdan.exe	86
PID 3800 wrote to memory of 1924	3800	Hopnqdan.exe	86
PID 1924 wrote to memory of 3720	1924	Hckjacjg.exe	87
PID 1924 wrote to memory of 3720	1924	Hckjacjg.exe	87
PID 1924 wrote to memory of 3720	1924	Hckjacjg.exe	87
PID 3720 wrote to memory of 3112	3720	Hfifmnij.exe	88
PID 3720 wrote to memory of 3112	3720	Hfifmnij.exe	88
PID 3720 wrote to memory of 3112	3720	Hfifmnij.exe	88
PID 3112 wrote to memory of 4820	3112	Hcmgfbhd.exe	90
PID 3112 wrote to memory of 4820	3112	Hcmgfbhd.exe	90
PID 3112 wrote to memory of 4820	3112	Hcmgfbhd.exe	90
PID 4820 wrote to memory of 4692	4820	Hijooifk.exe	91
PID 4820 wrote to memory of 4692	4820	Hijooifk.exe	91
PID 4820 wrote to memory of 4692	4820	Hijooifk.exe	91
PID 4692 wrote to memory of 4780	4692	Hfnphn32.exe	92
PID 4692 wrote to memory of 4780	4692	Hfnphn32.exe	92
PID 4692 wrote to memory of 4780	4692	Hfnphn32.exe	92
PID 4780 wrote to memory of 3208	4780	Himldi32.exe	93
PID 4780 wrote to memory of 3208	4780	Himldi32.exe	93
PID 4780 wrote to memory of 3208	4780	Himldi32.exe	93
PID 3208 wrote to memory of 4528	3208	Hcbpab32.exe	94
PID 3208 wrote to memory of 4528	3208	Hcbpab32.exe	94
PID 3208 wrote to memory of 4528	3208	Hcbpab32.exe	94
PID 4528 wrote to memory of 3240	4528	Hioiji32.exe	96
PID 4528 wrote to memory of 3240	4528	Hioiji32.exe	96
PID 4528 wrote to memory of 3240	4528	Hioiji32.exe	96
PID 3240 wrote to memory of 380	3240	Hcdmga32.exe	97
PID 3240 wrote to memory of 380	3240	Hcdmga32.exe	97
PID 3240 wrote to memory of 380	3240	Hcdmga32.exe	97
PID 380 wrote to memory of 1708	380	Iiaephpc.exe	98
PID 380 wrote to memory of 1708	380	Iiaephpc.exe	98
PID 380 wrote to memory of 1708	380	Iiaephpc.exe	98
PID 1708 wrote to memory of 4360	1708	Immapg32.exe	99
PID 1708 wrote to memory of 4360	1708	Immapg32.exe	99
PID 1708 wrote to memory of 4360	1708	Immapg32.exe	99
PID 4360 wrote to memory of 2164	4360	Ifefimom.exe	100
PID 4360 wrote to memory of 2164	4360	Ifefimom.exe	100
PID 4360 wrote to memory of 2164	4360	Ifefimom.exe	100
PID 2164 wrote to memory of 5116	2164	Ikbnacmd.exe	101
PID 2164 wrote to memory of 5116	2164	Ikbnacmd.exe	101
PID 2164 wrote to memory of 5116	2164	Ikbnacmd.exe	101
PID 5116 wrote to memory of 572	5116	Iblfnn32.exe	102
PID 5116 wrote to memory of 572	5116	Iblfnn32.exe	102
PID 5116 wrote to memory of 572	5116	Iblfnn32.exe	102
PID 572 wrote to memory of 760	572	Imakkfdg.exe	104
PID 572 wrote to memory of 760	572	Imakkfdg.exe	104
PID 572 wrote to memory of 760	572	Imakkfdg.exe	104
PID 760 wrote to memory of 3928	760	Ippggbck.exe	105
PID 760 wrote to memory of 3928	760	Ippggbck.exe	105
PID 760 wrote to memory of 3928	760	Ippggbck.exe	105
PID 3928 wrote to memory of 2916	3928	Icplcpgo.exe	106
PID 3928 wrote to memory of 2916	3928	Icplcpgo.exe	106
PID 3928 wrote to memory of 2916	3928	Icplcpgo.exe	106
PID 2916 wrote to memory of 4248	2916	Jeaikh32.exe	107
PID 2916 wrote to memory of 4248	2916	Jeaikh32.exe	107
PID 2916 wrote to memory of 4248	2916	Jeaikh32.exe	107
PID 4248 wrote to memory of 3276	4248	Jpgmha32.exe	108

C:\Users\Admin\AppData\Local\Temp\ab2fb4a515e5dc511775c0d129e9b660N.exe
"C:\Users\Admin\AppData\Local\Temp\ab2fb4a515e5dc511775c0d129e9b660N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\Hiefcj32.exe
  C:\Windows\system32\Hiefcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Hopnqdan.exe
    C:\Windows\system32\Hopnqdan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\Hckjacjg.exe
      C:\Windows\system32\Hckjacjg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        24⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        25⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        31⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        32⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        37⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:420
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        49⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        51⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        56⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        57⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        59⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        66⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        67⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        70⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        71⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        74⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        77⤵
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        78⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        79⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        81⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        83⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        84⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        85⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        86⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        88⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        89⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        92⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        95⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        97⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        99⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        104⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        108⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        110⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        112⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        115⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        116⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        118⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        121⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        123⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        125⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        129⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        130⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        137⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        138⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        143⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        144⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        145⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        147⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        150⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        153⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        154⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        155⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        157⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        158⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        160⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        161⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        162⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        165⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6720
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        168⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        169⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        170⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        171⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        172⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        174⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        175⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        176⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        180⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:7096
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        184⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        187⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        191⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        192⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        196⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        197⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        198⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        200⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7508
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7552
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:7632
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        205⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        206⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        207⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        208⤵
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        209⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        210⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        211⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        212⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        213⤵
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        215⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8128
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        216⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:7188
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        218⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:7360
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:7428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 212
        221⤵
        Program crash
        
        PID:7572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7428 -ip 7428
1⤵
PID:7540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
233KB

MD5
50e510567bfd74a27276fe5fc6dfd886

SHA1
6e8183cff1ea53c7586ec43518a0b707ef092302

SHA256
e65ba3f3f587f1d012e31b79f9b30ccf0adb21a3757eb4cecc496cb712a4d533

SHA512
8e3bb6006323e6cc24048517c2625a85a4bd8889cfb49cfe03fbc7961d974674c8e3226402f89a5179314629a1958cd4e1a1e6548ea16f9cf74efca9848fc2c8

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
233KB

MD5
881e7f380e2adedd81ab91e17814ae9d

SHA1
465a7b35979c2b33f1fbf8fde30076d93ff31041

SHA256
4607af0687eecea9a8fca4f7605f2c2671919fc6106ec7b3e91edcbe38487615

SHA512
b11dd9efc1edfd0d769ac93ddaa725a2801c0bc340a32a78adfd9f701347e86c5f0f58df46adcec765f58d6016ee4ad77aa516efd93277d2ff93b33ec12eb8e3

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
233KB

MD5
5c37471d79b506da4e4c8b23f68cfd3f

SHA1
19735ef673750e27fec6f2d51f1e65455850d757

SHA256
d8bd15533898012b26e59a6801ece02ea45653db30528ddb06253858b1afb086

SHA512
a2300b24f6ae7520364c1b102b96fb1fdf0348f9549abd34f2751813b19a9daca5e43d39a6589f570fad05e2d2ace45a7547695196b6c2a76dc5618b62df3507

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
233KB

MD5
d4d5900770e64040a0f1653047712f30

SHA1
56c362fb594f16a2bdbf7f7ba97ca21e62c30bc2

SHA256
645e33ac4c193985f285ac13cf2c7d9a871d4ad3283aa5dbd726206904ca87a1

SHA512
c1cf24da3c77669d3adf656bc7df0f60d82d032ac1f7fb67b18ef56ac4a9385127d18e814128a0c59ada65bbfe435112ac1d0a1e710c0908d38f39aaaf503f9a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
233KB

MD5
edbad0b47794b5fd2146adff572efa78

SHA1
f7b0c8d9a1c4e180b04e0a5f3e6b2d4c05aeb5e2

SHA256
3ca60b67c547cd82cfcdcd67203deca4abf7e99a7394699d0bb31d97410152b4

SHA512
d051624391ac2d4e4528b32c4474e527a73251d834d98017b517e7751d13da116b095d4ac8d084127bf0a98dbebb72826d25c01a60e24ab434c0b9336af1bdfb

Download Submit
C:\Windows\SysWOW64\Ciglpe32.dll

Filesize
7KB

MD5
c1c3167da8ae25ea2a241c4f50dbf20b

SHA1
d50042d05d74a176912470454519a991c50de8b8

SHA256
93c70a9b558500303d35261f346fb3583a02f9316f0a86d7fbc32599d502330a

SHA512
7a1c05c842ffc682cfe37e865e0120c4e3c3b0b499bc3879b4a73958d0a1d944b693a50a948fa3ee4537e0654552194dff4f7a0d8c03bea0f952f5b538f3b4ca

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
128KB

MD5
7a5d0b4c457fb7bf419e5d2a95323b4c

SHA1
1e4c438e7dff62a0bfb296c5905fadfe4eff6dad

SHA256
ffcc2e5e77b1582880eebd5c801f7247648191a4cb93050f2fa3f9ff5aa1f471

SHA512
30d3bcec4b8e9ffe40ac73b183466e202209edbd399f30b36f7fb5b97760268f50d5afbfc0d1469f52b9c249ee12695ef7bac395e69edf0faa150d1c6a0f3005

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
233KB

MD5
5fc42ed773b73f051776ff790e979970

SHA1
ebaddee048a987f09854117d7bc890e3fdc8580d

SHA256
ec2e9608f0a87bae99c3ddc4a84387ac55491c97db56f2f2e203cfd70378c015

SHA512
08208ae6917a62def6642be7c63cf8c5b1cf576baef5c5360370a9d246fe038a47990d302180b63795a7887503da66ee205f9efa10c7b0e699e7bf61a690b094

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
233KB

MD5
dac259663d741bd303e2967b55f4e494

SHA1
d7e948d6ee1adaf001ac645730eda717c855f60e

SHA256
a87cd5b00c2ae8c725b0dc0829897c78c32357ee2589351084eb649a71d68eeb

SHA512
85933b15dda3538a5f911cbe8038bc791269aee7ed1fd33f4fb00a48acbe9b93f44a3356301c604b24d3b854d2d1fbd93d994274b0d9eeb50bb696bd8962d2d6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
233KB

MD5
f7a49f181dad88bfc9528b3cf2ec6336

SHA1
08234b9f3e5f0c942ac2beb3934a4df6008ecbf8

SHA256
7430b7775144446c43d7bc9e3723a8f68de9ff59d9c2f6477bbff8f44090c663

SHA512
30f7d1aff498feeb20f18394eb558ad52ddbba5d301aa7204536ea97a36c0a54ef8ce0af58e839814d3ed18b64c0d7b4c36206a6bba0449a7c5e39852e864920

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
233KB

MD5
625385a7c7e4a931889d40f11260ff8d

SHA1
7cbd8040ab749f2e9cbe208f11fc2049407f6abb

SHA256
6a73cbbf749dc6018d7a64cc9eebb20e0c335293881d12165e85f00b651f4074

SHA512
6e2cf4d18399e8ca01de2596b56567ea67a5f4069bf0a733de1333c36d845bceaf8f6ef47d60c1d0d89a19515e1ffd9da96d3d86d9962341bb4d4f3fc1edc3ba

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
233KB

MD5
400622544ff62656c54f1f7c4e65020d

SHA1
40a9237d328f8226b2da60ca580697205448affd

SHA256
3df32882538bf73962afc8ad0af394421b20bac239468573c03eea3a3b6a70ca

SHA512
4f887763908c29b35fcbd61eee70c02954c212ce35bb58455defbb8f5d4ccfcfb09ccd741d045f8cdb728b24ed94e12421d54ba3314b36c87995138adb8ac267

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
233KB

MD5
6896b0e2ab2b4c3c9baa991db2215007

SHA1
96154845f19c3f257b20f3549b795fa1dda56d65

SHA256
cf612956e4e1242f140ab4b31946225ccec5f3670c198d30b16fc23b4a0fe580

SHA512
d01798e6ce88bce22b1cf57950c93aeee144d443972ef46ca721fc2c0eb5f61ae9c2b5b133548effe4c272585d65c7305bbaf02a95e098bd662af4b92ce993b9

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
233KB

MD5
ef318413ae65f3a2bc42fa3cd72d5b82

SHA1
530f976abe5f2998bac5e826b318e1c451250009

SHA256
c277d99aec312d43f2af7e201cd5dde7ff58fa7dead50fa7a09d1196a4622420

SHA512
f3ab011481e5a4c775a31ecafaf60148f7d3d71862fad662755fc7088b414b5920427ea8ffa35d268ef54fda1b7fc5f2e861e6caf017d4f2a190ea6e7fa3cc42

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
233KB

MD5
f47a71635927a994726b0ec6516dc250

SHA1
fa0c574d931be6c46596dd46c53b785c7332a872

SHA256
ddbd7a8861d33cb4e0f35cfb776711548061608b52fef6087722e74cacd4cf0e

SHA512
d4125804ea04df01d81cb265c7782764652cea135ff4cda260c1e1a8fef68430c8989684e125a74b97b9f5555678aabfd464ec833bb4c4ab39457feeed8830da

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
233KB

MD5
1ab8b65644d8b8c164f774cd13a1d81b

SHA1
34628e4b4737176ef39ff6ba633555d9d32832f1

SHA256
bf46a27fe8055ae1cb78392d3606921b9eaf5aec939c8b9d0486ddeb5cb71570

SHA512
ab2aa0490f00221d2cd6a986dc1f53fada807b0fc688a0b26d7d269ff1b2c7ede4bd103f0b4eed2c36247f79b47050f6aafaf6e0551c89a89120f9868478a49e

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
233KB

MD5
f6026966b45f1b599948d0e7ef99fd3f

SHA1
c1d6dd4bcb2b52d8bedff69e86c53b8396b210a8

SHA256
8ca8ff801d11bf8b1bb7738231504fb5622f814f4a08ebbb91e609cd685b42b6

SHA512
4c70a087b88586dc4b51a82b64768d6c490afe58fb828a16e6c86f9aad6e0e44fb975fd2b88317833a55fb52d1ba41a4ae14a85419a761a5cb56c5b8217d0bcb

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
233KB

MD5
a505d94db04fa0e9f92734d28d055203

SHA1
3d93b968a2de4dcd4786cf0f3405d59a096f733e

SHA256
1f095d2d17cf0108bfb468e5f1ce22c415ffaea89a229a80592d4fd6a3f2f855

SHA512
e439c54590eb83392ed7ab6c8051fa31556b8df0191f39400a72e7baa8455f0fe86b022b2c846c968ec9c23672db5b3362a9ab7028b5664721d800ebcbea1d13

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
233KB

MD5
51d728609eaf520de2351e7cc04c676b

SHA1
158bf71a64d4d9e02fafd5290d46a102a3374a19

SHA256
9bdf3a0a68e0a242a38724f6aa21a1c2da5ca62cfe444ca9b3b38048f308d455

SHA512
981d4fe56bcdf4cc5bf1fb1dd0faf9c6184ec1c899a00620c3021474275f08a84203a98ad3fbcc3bd672e6c44577be5b8a9402d11ee51d62dbc78945b0358280

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
233KB

MD5
6362195733d1caca23f4fc6aed1552b8

SHA1
3ce7add59f961535d105cdac28cde0fabfa85045

SHA256
13ef9199808c8077951d80121709cd631043bf7eca177eded8d29e31ef4edd1b

SHA512
62b63e0a9c33ac826b2748a8ae23c227d1eb0b94d9939386f6e68ca85713425706bc8c85756463bb296b876ba9b695006ef1e015950294606bb4509a4479e994

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
233KB

MD5
8512e6e28dc232199d5ef4fbdc33c053

SHA1
2bdf610430cd4edc02661ad0710c69f1480fcc40

SHA256
3821ea17efb7d3ebae474d4acaea71b409bd9688c9017abfb36fd4dadd122120

SHA512
4dab11c0243d8cb01dd969117c2c7db5d25b04a94c8fbb8718ea7bc185da52245eb9eb1b4963ce09965ce7643cd0fd4af829fecf0dddb4eb4dcd814e7a992306

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
233KB

MD5
6ada6cc8ab076c1e528dad55642dff32

SHA1
c780c02b21be6bdc15bd7c2915d063d01d3bf6e6

SHA256
3ec81eb368e8efbf87b3400c5ed560e5f36369091713b8b2ccd725a89c117b20

SHA512
7aa9e309a0deebdaf9698aafb90086f45e112178bfef4993b52585208bae2d2dad93ea2500b231336dae0234825c35cca8e78a97e4902056b799e73afbb5e8d1

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
233KB

MD5
40b7c3f0bf1b277f253ebd3d8abacb2f

SHA1
438381208612a8a60a056a204f20ee80d57b4c4c

SHA256
f9465631bbaec75563188a6e0c4b9ac9c65b79e23c765f50e602d610bfc7f396

SHA512
bdbd52d634ecc5dd8314fcc497e15b0db521975d8ab59e8853ffd13670e3ba5d94cb333a84b5879c5be406315fbc286889694896fe26105d7e390fa1a48b2486

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
233KB

MD5
58ca57c2c891810de1aa84fbbcd35e3a

SHA1
0ab9be729a765595d00b72b383703434bee58a2d

SHA256
f71a9f989349edc4082b8804c7398646fa0eea32fb0fcefdb7ed916992b45b3e

SHA512
58a44af00ff6bf6bf9f4f170d7adf5765ee4294434b9c2815a6a28523019c103eeddd1c46ee14b010ac0b618fadaf078a00ca2081463f978dc0380a5a6874dca

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
233KB

MD5
f68fddac4c68e92f4628498aa2282458

SHA1
4b68f0067950a8bb206d5f5517f7a5323d014808

SHA256
848f3d2c81f43e477850c20de5878e26c28da8c7729d1606319e8b1a7aa1b0db

SHA512
eba95d59e2dbc7970f90901b9ce188d34a2f9dc84f2a1cf4e854cf385a8206a1d897e38392145ddd7f026827b11de531344cd1239c8e88d100d96347d4d35d8d

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
233KB

MD5
24f9106acfd42b8dca3edead137d3124

SHA1
95e81b7ecb4b306b046f9d17975e4175bc98aea3

SHA256
290cf85ed2df9aebb60933085d03d8ccff6f4e12f8deae7261221f446ecfc87c

SHA512
cbb7f1599cf57bce8ad5979f65a7086dc01c61ad394b6e8489f58f2fce76dd50bfb4899347e0ab2c75c99b1c9620bcb609b0034ffbe2bc137efb3359ba5ea0ba

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
233KB

MD5
d0f7501feb89b15ba7a4dbe4f9591b38

SHA1
8a86b4d70868789633555a55e65281c8b7c57ab1

SHA256
e2ea9dcdc9dc18a4ba0a09e224c1e202bfe3b75712e67a07f4973f9acf8a3b3d

SHA512
41e97f659ed625a5356c8debdb1a1f5d3b2c7054d5d9dd1057cc28083e945c181a20cb0b7993147a062774ac1c3ae85c085fa766a2eca05cdf5e74d9f6050021

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
233KB

MD5
5e5e55c9dc126f50c5f9a7190a5d52c8

SHA1
85cc70682ef06a621d67e7ac8acbcec8c26e00d3

SHA256
3ac3e860291078df6d89576b2be282e33d610ef4fb5ff8b560b09a456c35ffec

SHA512
1ff675b394a334466748f4bb7c72d0363173ba5a2591f90ae9bbb5f856fbe74235401f9fc15aafc36089dd081a71bf84f60363a0a0bd233131924b6acd69fdb5

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
233KB

MD5
88638884995b0b16907be23a3f59d5de

SHA1
4c9c9f6f5ee69cbb39ffff0547a949f06bc8cdf0

SHA256
8c18f88a130b32bcadddb93bc9d0acca692e6343aff408a99599ae6e0c21657c

SHA512
b8f3a8cf8e58edca4c4c6a5d099d388ad482403cb21686dcccd921d047e48743fba92410c5dc0285a058c703df017992ed27e431d5b255fd7a3751aeb514506f

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
233KB

MD5
fe9c097c8e3b0bfcb0f60e2ccd927cb1

SHA1
14092b034d012368b340abea617f41f6e006b649

SHA256
e7f54ecfec90b702b38f582dcab54bae0aa0e33d853fb660a55168cb1711eb89

SHA512
7490e2f5e3703608a4c1201817775d083a8e369e7be9c30046e27f7fdf61671e790eb28a7a9ad477372c3cce4f6b42fda50833085f27cece3a1d4d529eadb370

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
233KB

MD5
8f12ac99eb59dcd382aac5e977e569ad

SHA1
957fc2d802266d7fadbff50fbcb72d94dbbd9073

SHA256
4fd99e2b1c679e1fba30ed3eff8f0504bcdf1bcdb64017355b9a46ecc11cddeb

SHA512
55224e5a71738f22815e4504195e4ab539361833cd63a8dc6199c71439f0f96fb5e2a37787a3a17a18db69b74a0ec2cd94d919d6e5bf52025db16bb3c05bc2d0

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
233KB

MD5
56fc67506fefaa792d1d8bca515e51d2

SHA1
b85eb909553c438054c190672546d6d402a2f978

SHA256
2d199107e9951ee3b8190bbfa525268c3aa73e0fd84aa289c9df696a213e900b

SHA512
caab5faba987683b76e25b4941016cb01dcf33533e88c5a4a719f6c45455781627caed098258839e4dd1a4d244dd85e8005802e5d07e82cb118e7b666f8b3453

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
233KB

MD5
82c3af24dd28cf018015457194bbec38

SHA1
e25c74c041fcec7265f0167de9c44c44fdeacb10

SHA256
390d7c15e1617eafef211429ebef38062c81e1ca12ce44da2b2a3ed89b835319

SHA512
8ac64f7bd7adf8603dd8028e0639cc9a24cd4fa008fdd49b1ff646fb688371c7d35db629bc17c38af38ceef895de83eb7cde9e3a23fc571c2f0699220c14ee63

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
233KB

MD5
2a5aa429543eb50d37beffc5bccfd56a

SHA1
cb5dcc00312144fc1b3238ed497499b38cf0df28

SHA256
fdd38c8e5e796b1b16214f19266a61fb8ef6e7c9bff52befe1fa04ba96ef5d30

SHA512
b3531ea4832c26693cdd43cd7c4e222d72be4e46fd5d92ef1aede899ad91bac673c8b2553d98f9e112aae2f2676dfe779724a507a7c5ef44f60c059e4bfa8a64

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
233KB

MD5
d369cfceff76082e9f30b5b1aa846d47

SHA1
e691b71f2be077a2aff99c3f0f02e0f043c42531

SHA256
7d9950f8ef97a7d868b9e21d1848438c4708e01b645c69b9052d5c77ecde7a75

SHA512
8d53a2b1338ef5e1f3f95f72e7b416d9fd9f9f33df35ee349782b3a2c3feae36117f7b678c76d0c59baf867e6db1a9d4cda4eae4ba4e1912e88580fdc140c2f4

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
233KB

MD5
97837499c4742fc22d7e579d25dccf6d

SHA1
209e31e122dad57c6093d553a7389e7823d2f11c

SHA256
b7591afc9aa2daa3342c87a2c0c05c8d8301dd206116df2013aa4a1db7718dd8

SHA512
251b6d734defe2cf56ed8e33bb77f0ddb65bafc8c82f1bac2f8df6e8b30bb9825bc829294c4f9f5c7131f05b4420a3a0bd90cffb9d6fcc7cfa5ff00235a77665

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
233KB

MD5
4774282e04edea57c5c9e9c4da9d0353

SHA1
b73412a7ef68f9b5991355f9c81bc3a10b0b7080

SHA256
6999e708218db5ed71b3e45c930bddc5282fa6f66738cf2e1089f981ca23daa5

SHA512
c35ba4e6372b3efa52d36ad2632bfed3eeb8790c2647986e3be5da1e32b16f7d3b31132e4f4d646129e5e89dc56fd17ca32d910af0d9b91627257be9e33186d2

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
233KB

MD5
a184009ce181505b64b2c513a12c0e60

SHA1
4cc204092dc91bf08a72f80ecde92cde9365a922

SHA256
49c85208e74f273044302cfd4e019106bd73ea583fd87fec013ceadd05771da4

SHA512
5bdded1fd6233c726a3d19e3e0401c3d68fb94e9a0d697a435e814335fe6ce21d68634871f5d41707fc42a4c486c043b250c2ed6cb3cc24a181a64bdf1028280

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
233KB

MD5
bd7315b64bf3d977fc46e211531bd45b

SHA1
ef834b69194f10ff41e8075c9b87a0607d8718b2

SHA256
2f9125bb337d9dec8a377a373a8f96b19cc74ce3a90f016be055b17e94c024eb

SHA512
e5261a70e83740c6f71a9067e4be938360b88fe665bdd47af7cd81fc1f4cff0f1af9e66e735dcd39b7ed6fe24367e77ac28393d22d6c1bff2f9d68a85ebda0cc

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
233KB

MD5
71c470f44c95953f2d0d450c303fd88c

SHA1
e210aded3ec53fdd66727a37ca998019648583ba

SHA256
22021939505ecfc17503d05fe5652ef55d755f58df33bd5b88515a42ce20b470

SHA512
ca0e4c1f9f9984b80b7df3c27bc56aeeb38813439e3d0028101a564be46376f7ec5fb6fa567a1c0f2d66ec84dbeaa8cffbffe0179b423e641cbe40b342c57d2a

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
233KB

MD5
6ed5d566ce957d9996de8afe66a6a2d9

SHA1
2e2221250d63dc026a3064b66e33e1c0b90249f5

SHA256
a1046a153375d453e40a8fd6e240c4462c5d703f4922f2c931c688113852ab60

SHA512
be6168d69adce07369e90e282f7f1490a84e72759f6178bbf7229cd122de57f452f5839617cf7d92eae9c0a3aa2a26056d879bc561c862dcaeeefd219852f219

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
233KB

MD5
c5933c772f2ae1ac4d1c21be0852cae6

SHA1
60abd31e3c8a2a4e019bf430e7499f088c96dcca

SHA256
b22c60849b341175aaa558458ddcb50d4be6d5e0aba457c835ad1d0a5760a493

SHA512
73d3b6e2e565ec016d9f9647619f01cd3a6f5e3be0078afa29051dbe268e0a8d35fa296ff89cf271396ad0abeb215bbe4b955c5de191ef8f35089e4993933e86

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
233KB

MD5
c4ce783b872c6bd4f038f52b1d3fe547

SHA1
425777d7c92ad3a6a14ddb04db3149e04f0a65b3

SHA256
c3aa9fee9039a05a944c86ab62816e5168d7cd5dbd4105f5b2980d2cba7606c2

SHA512
a2ec3129804b30a36b00a6d674cc2dd0673d1b10c09c46a700c752bbdd91b2e6a8101d3789f157307325f73cab0f2621f6f3d53e7e795787be6dbad51e2c12f1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
233KB

MD5
f7d66e8225b36f4f2f89099829c27a62

SHA1
3bf1aaf098edefe84692e4e7150fbc77f1742222

SHA256
0d98ed6c7f0bbdc43c220604207b0722788e8c8c8c6eb0164c3ac068b34d48d5

SHA512
2c616fab72881300ee6ee99930733513635059a3cf5515692b9c2f8e1172bc3973e87d1f08e52c42f6871ba0818ddff29b1eef136a027657c68a3f65b4dee68a

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
233KB

MD5
ba044584ae61cd77a07c61ffdcda2176

SHA1
8ad5cf3fb67ac2ad5319204e803d002c2303e68c

SHA256
f4d9325e79c2ec9bb95db36a3a7c10f6dca6146425d735714b70e941d89a3bc0

SHA512
fbf901cad50d93ecb81648a58eed593cfb202e861530b89d22f4dc5ce3bcce4d938fd7e1a4e1315702b810c13e7c4fddc43328b78a97c3fe9bc30414b71a6d21

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
233KB

MD5
e234ca7adb6f834c70b6a29a7c7af040

SHA1
9cb39f8e8fe0e276f9eb062887f784adee1cac1d

SHA256
15afae112583e2e4223781eff5ce9540f20cc2143a7f58378221769c16a48876

SHA512
2018792e42fd496d673c8e5ec24b11e8e47d792c678a4b28901d73d660608ae2b6e79e38d43c4302cf11e1e889f624625dafe9b21b4d5f0272a3c2a1b3a2c5f4

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
233KB

MD5
ec887556040597412ce13323a47d64d5

SHA1
804165bd2971d89589ee10f2b38a804960c88bf4

SHA256
61b4abbd6bb1800754f65b652a5e7849e4a28dccc669d48cb694552c93bb498b

SHA512
db3c790d092465b90fda2a05f10e6977b6f40b26cacb663be305ab6500bbd563583befe9e63daa15431b3513711de919185ee69e9e71bf49313277cf59e5d4db

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
233KB

MD5
803b4124a62ad7de7ab5fa73b563222b

SHA1
3fdebd63c44dca69b754f90081c75693f71100ca

SHA256
d6c2850102c61c5cec1a0d9739ed94e6b8f650e21f8b3702f1b6e1db2a8a5cf6

SHA512
ca89b01e8e7e5225acd769178d85653bc0c22448e2ca9f0b08f45c2e7e47a75b79ab04f862f95bdaa9c6b41ba769c6dfd349ec06b08d6216db2decfdf7234b4f

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
233KB

MD5
f1def938563c4800cdd885e0f0ef9528

SHA1
6bb718f68172dbeaaac830c571b2d634b78e8f82

SHA256
0f7b956a55cdc687fbef96343f82c4c4e4048de4d3501cf97ff6bbe5ab4d75c8

SHA512
379bedd8a0bc06b12fb9600302af056a451d6f30ef68bbfe0273ebf9597f26cb6711419dce18c38ccd50043368b58b34c12b260aa10b3bbe43ceccc95e470e37

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
64KB

MD5
6dff2bc6d6d8c225bd67ef0cfa464d54

SHA1
791cd54666bbb507d20e86096bdb102fc8e94489

SHA256
b9c964c19c72e84132d86a7ea07e079ca80103d44cd49d23c0126dc5017f9f99

SHA512
6ee98d53f9cd3fbf1161aa81999af098ed490e1302070b9b1c5f3cb4923169eaadff28c61f1b0482f5fca95e7fb94dfd96b6e0638ddd87394e141a7e6fd2f4be

Download Submit
memory/100-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/420-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/572-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/808-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/924-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3276-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3980-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5140-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5180-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5236-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5288-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5348-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5400-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5460-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads