550eb9fa56479e04c1d9df890d95639ff2bd43037380ed717bbad7a0c6f92fe3

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 22:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0bcf8c505235e7aaaf44fe90f47f750N.exe
Size

208KB
MD5

d0bcf8c505235e7aaaf44fe90f47f750
SHA1

2085f8f64bac475be7adb752ce44ed80319fe0b3
SHA256

550eb9fa56479e04c1d9df890d95639ff2bd43037380ed717bbad7a0c6f92fe3
SHA512

ba453820a30d2774c273677a030490867fe01a73c00a904caa0dfa52d4fefdf643de4c1106d09ca10d84fe76e73110be85fb5ad726283b3cdeb938ff8ccb3a11
SSDEEP

3072:btZwy2D6HnC9mVHxNlYp24tEd+6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:bksC98vxB+Eu6QnFw5+0pU8b

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	Gcimkc32.exe
3048	Hiefcj32.exe
1100	Hckjacjg.exe
4424	Helfik32.exe
1620	Hkfoeega.exe
2188	Hflcbngh.exe
3328	Hijooifk.exe
4196	Hcpclbfa.exe
1468	Hfnphn32.exe
4568	Himldi32.exe
2960	Hbeqmoji.exe
4104	Hmjdjgjo.exe
4864	Hoiafcic.exe
4660	Hfcicmqp.exe
2420	Iiaephpc.exe
3368	Ikpaldog.exe
3524	Iehfdi32.exe
1796	Ikbnacmd.exe
1840	Iblfnn32.exe
4464	Ifgbnlmj.exe
2680	Ippggbck.exe
2128	Ifjodl32.exe
2492	Imdgqfbd.exe
1208	Ipbdmaah.exe
1792	Ifllil32.exe
2724	Ipdqba32.exe
4696	Ibcmom32.exe
3432	Jimekgff.exe
4552	Jfaedkdp.exe
3852	Jlnnmb32.exe
3808	Jfcbjk32.exe
4896	Jcgbco32.exe
3424	Jehokgge.exe
724	Jmpgldhg.exe
4904	Jpnchp32.exe
3304	Jblpek32.exe
3252	Jfhlejnh.exe
4400	Jlednamo.exe
1136	Jcllonma.exe
2992	Kboljk32.exe
2408	Kiidgeki.exe
540	Klgqcqkl.exe
1408	Kdnidn32.exe
3176	Kfmepi32.exe
3908	Kmfmmcbo.exe
3348	Kpeiioac.exe
4888	Kfoafi32.exe
3632	Kimnbd32.exe
1560	Kpgfooop.exe
3164	Kfankifm.exe
812	Kdeoemeg.exe
3764	Kefkme32.exe
1628	Kplpjn32.exe
5080	Liddbc32.exe
4912	Llcpoo32.exe
868	Lfhdlh32.exe
4180	Ligqhc32.exe
852	Ldleel32.exe
1640	Llgjjnlj.exe
2736	Lbabgh32.exe
908	Likjcbkc.exe
4796	Ldanqkki.exe
212	Lingibiq.exe
4100	Lphoelqn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hbeqmoji.exe	Himldi32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Njohbh32.dll	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Kjqkei32.dll	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Iehfdi32.exe	Ikpaldog.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ipnjafgo.dll	Hiefcj32.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	d0bcf8c505235e7aaaf44fe90f47f750N.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Hiefcj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6560	6188	WerFault.exe	285

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiefcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpclbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmjdjgjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfoeega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdgqfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkfoeega.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheqhpfp.dll"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1288	208	d0bcf8c505235e7aaaf44fe90f47f750N.exe	83
PID 208 wrote to memory of 1288	208	d0bcf8c505235e7aaaf44fe90f47f750N.exe	83
PID 208 wrote to memory of 1288	208	d0bcf8c505235e7aaaf44fe90f47f750N.exe	83
PID 1288 wrote to memory of 3048	1288	Gcimkc32.exe	84
PID 1288 wrote to memory of 3048	1288	Gcimkc32.exe	84
PID 1288 wrote to memory of 3048	1288	Gcimkc32.exe	84
PID 3048 wrote to memory of 1100	3048	Hiefcj32.exe	85
PID 3048 wrote to memory of 1100	3048	Hiefcj32.exe	85
PID 3048 wrote to memory of 1100	3048	Hiefcj32.exe	85
PID 1100 wrote to memory of 4424	1100	Hckjacjg.exe	86
PID 1100 wrote to memory of 4424	1100	Hckjacjg.exe	86
PID 1100 wrote to memory of 4424	1100	Hckjacjg.exe	86
PID 4424 wrote to memory of 1620	4424	Helfik32.exe	88
PID 4424 wrote to memory of 1620	4424	Helfik32.exe	88
PID 4424 wrote to memory of 1620	4424	Helfik32.exe	88
PID 1620 wrote to memory of 2188	1620	Hkfoeega.exe	89
PID 1620 wrote to memory of 2188	1620	Hkfoeega.exe	89
PID 1620 wrote to memory of 2188	1620	Hkfoeega.exe	89
PID 2188 wrote to memory of 3328	2188	Hflcbngh.exe	90
PID 2188 wrote to memory of 3328	2188	Hflcbngh.exe	90
PID 2188 wrote to memory of 3328	2188	Hflcbngh.exe	90
PID 3328 wrote to memory of 4196	3328	Hijooifk.exe	91
PID 3328 wrote to memory of 4196	3328	Hijooifk.exe	91
PID 3328 wrote to memory of 4196	3328	Hijooifk.exe	91
PID 4196 wrote to memory of 1468	4196	Hcpclbfa.exe	93
PID 4196 wrote to memory of 1468	4196	Hcpclbfa.exe	93
PID 4196 wrote to memory of 1468	4196	Hcpclbfa.exe	93
PID 1468 wrote to memory of 4568	1468	Hfnphn32.exe	94
PID 1468 wrote to memory of 4568	1468	Hfnphn32.exe	94
PID 1468 wrote to memory of 4568	1468	Hfnphn32.exe	94
PID 4568 wrote to memory of 2960	4568	Himldi32.exe	95
PID 4568 wrote to memory of 2960	4568	Himldi32.exe	95
PID 4568 wrote to memory of 2960	4568	Himldi32.exe	95
PID 2960 wrote to memory of 4104	2960	Hbeqmoji.exe	97
PID 2960 wrote to memory of 4104	2960	Hbeqmoji.exe	97
PID 2960 wrote to memory of 4104	2960	Hbeqmoji.exe	97
PID 4104 wrote to memory of 4864	4104	Hmjdjgjo.exe	98
PID 4104 wrote to memory of 4864	4104	Hmjdjgjo.exe	98
PID 4104 wrote to memory of 4864	4104	Hmjdjgjo.exe	98
PID 4864 wrote to memory of 4660	4864	Hoiafcic.exe	99
PID 4864 wrote to memory of 4660	4864	Hoiafcic.exe	99
PID 4864 wrote to memory of 4660	4864	Hoiafcic.exe	99
PID 4660 wrote to memory of 2420	4660	Hfcicmqp.exe	100
PID 4660 wrote to memory of 2420	4660	Hfcicmqp.exe	100
PID 4660 wrote to memory of 2420	4660	Hfcicmqp.exe	100
PID 2420 wrote to memory of 3368	2420	Iiaephpc.exe	101
PID 2420 wrote to memory of 3368	2420	Iiaephpc.exe	101
PID 2420 wrote to memory of 3368	2420	Iiaephpc.exe	101
PID 3368 wrote to memory of 3524	3368	Ikpaldog.exe	102
PID 3368 wrote to memory of 3524	3368	Ikpaldog.exe	102
PID 3368 wrote to memory of 3524	3368	Ikpaldog.exe	102
PID 3524 wrote to memory of 1796	3524	Iehfdi32.exe	103
PID 3524 wrote to memory of 1796	3524	Iehfdi32.exe	103
PID 3524 wrote to memory of 1796	3524	Iehfdi32.exe	103
PID 1796 wrote to memory of 1840	1796	Ikbnacmd.exe	104
PID 1796 wrote to memory of 1840	1796	Ikbnacmd.exe	104
PID 1796 wrote to memory of 1840	1796	Ikbnacmd.exe	104
PID 1840 wrote to memory of 4464	1840	Iblfnn32.exe	105
PID 1840 wrote to memory of 4464	1840	Iblfnn32.exe	105
PID 1840 wrote to memory of 4464	1840	Iblfnn32.exe	105
PID 4464 wrote to memory of 2680	4464	Ifgbnlmj.exe	106
PID 4464 wrote to memory of 2680	4464	Ifgbnlmj.exe	106
PID 4464 wrote to memory of 2680	4464	Ifgbnlmj.exe	106
PID 2680 wrote to memory of 2128	2680	Ippggbck.exe	107

C:\Users\Admin\AppData\Local\Temp\d0bcf8c505235e7aaaf44fe90f47f750N.exe
"C:\Users\Admin\AppData\Local\Temp\d0bcf8c505235e7aaaf44fe90f47f750N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Gcimkc32.exe
  C:\Windows\system32\Gcimkc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Hiefcj32.exe
    C:\Windows\system32\Hiefcj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Hckjacjg.exe
      C:\Windows\system32\Hckjacjg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        25⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        26⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        29⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        35⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        36⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        40⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        45⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        46⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        49⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        50⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        57⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        60⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        62⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        65⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        66⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        67⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        69⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        71⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        74⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4200
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        76⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        78⤵
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1004
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        81⤵
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        83⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        87⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        91⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4872
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        95⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3880
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        103⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        104⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        107⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        110⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        111⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        113⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        115⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        117⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        118⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        119⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        120⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        129⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        130⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        134⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        139⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        140⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        149⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        151⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        152⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        153⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        154⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        156⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        157⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        158⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        160⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        161⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        164⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        165⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        167⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        172⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        173⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        175⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        177⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        179⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        181⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6860
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        185⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        186⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        187⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6272
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        189⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        192⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        194⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        196⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 420
        197⤵
        Program crash
        
        PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6188 -ip 6188
1⤵
PID:6468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
208KB

MD5
b33a214cb78a33e7ca82d303659881d3

SHA1
8cfa874eb5a4fa0e16e1f9cca63bcfa8df366682

SHA256
32fa7ace941f0d19f3f75ffc9ccd84676eb0e354d5d8cf7057feead0fe92380a

SHA512
6b4833994c839ea804210a69fc58fe138556ca824864fd2063cbd9e7d850cb041a14b985c0b61177edd5567f09b68e96d7b13a5a0777ad24b47861adcab43079

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
208KB

MD5
4b23469b072e08f63fef17d544a0269e

SHA1
ec3935a415ee6e73fd6960ef8d05b992869a6f23

SHA256
9aeabaa6170cf68b40b0c368058c808395cce8c38e86a80e007185e3edee53b2

SHA512
6b044a516c911cb50f35009da3d105983104eccbb0aa64d839513fd25876066a92110f64823e4c6b4b2b79f792f556614d2ef81bc95e64e9b8f905306306e311

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
208KB

MD5
9c7315b96c1ff73ec9acbe820c1c3f10

SHA1
d00d08de8a4a5ad255844f1c896ffb5e31353cb9

SHA256
5083fed6d78609c4b1a03e355656426fb68063fbffb1cb18342f8e93f03cf074

SHA512
b458009e6a40d1ab66626ab205e35501d8bb7a307cc8febdd3680c262827133c81fb993f489c868a71040b43b60a66d81bf89cb029983cf24aa24d29a2b58019

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
208KB

MD5
0060959e0f008d15a7eadbd689ec070f

SHA1
4f5de02bce36e502969ed63d355d1561019c85fd

SHA256
4efb1e28fa2f9a8805dd769eb513cddf23b1cf844b595d3dc42358bc02294d1a

SHA512
e52df91d460b5b26f89272616424eaae38e94991a5687473a0536c45b204aebe35ef40e969a9aa4a6953b7e8c4eaf194256f71dbbfcbae658cd707657d762cf9

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
208KB

MD5
287f24e13a43157d4593a09654f40279

SHA1
4fe3f7123876f5b665772b3a6a8f25c8dc6d1136

SHA256
15f1eaf1bdde0e51cbe5d0fd67c0fdae5eaec409d71d077c84f1129dda73619d

SHA512
829c04aa035d70efca0b99789e3b7fc3909cedfb4cabf2499b709102fb58ac9e50977afddae35a6f28e58cf7ff400ceb8d8671df3f43bf7c09dc3f69e03afca7

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
208KB

MD5
50a0f0797d663f9225bf59599d56bd6c

SHA1
0bb76f9d1af6d74425eb4e69a796c5079cc6d550

SHA256
72cc7eaaeebbe78657dd45625a05b3339e314fd1b732102347602424f41c0ecb

SHA512
fd3aa87eb457b7e1f28e25ac8e3ef97b832ab65ca0bea56331cc71e2d94c67ab4a9a99c4eb75e7f52aaa771f4ae90149db15e7e73dbb2dc11dbce842a1fba57c

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
208KB

MD5
d4760a555c3b60a5b9c8d51d3cd876a4

SHA1
a004e458d44834c36733fbd76d0159376e78f7d3

SHA256
2ffbfb7804774948549753594b4f3a8153216734af816fa0346c95eccfaafe48

SHA512
3f7e0d0670960144c451e4dc30fa86d3515dc0ebfb92a07e6a05769eae69203721a4ad77bad4ceeeac89e02058f2798001213a52d8b0f6c49f478303c9cc6570

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
208KB

MD5
90fb799386b7b97a11bf3499fe9ae3b9

SHA1
2199b38cddd515b5f96efd3a5d92a7eea6680841

SHA256
0fc23cb38c802bf1ba0b82906e0b5b831c3588e4de91581f3bd7c776e35bf105

SHA512
92d98ef59e0f45424228eca81ebad1dd525bb672592e56b6f5beb4fb55874fc5171ede1eff97bb8ee7d8b26d7b6cd01edfcc5012241ed47315838f9f06d7958b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
208KB

MD5
fef6e2bb9d71e56f53d8a115d9cf1ecf

SHA1
2d99ad86d63054092ff432dd6b377ab2c1affc21

SHA256
75bb6c6e7a67b2eab79e421520fc76ddf3484962fef696b7ac148411b565f915

SHA512
28979509bc399775ccc86a2ac315b9948c0d03f041a8181978027cc7b5ca762019bb13fe4ddefbb329c965ddec64c09bc3c92e820398835ccca82adda729eb4e

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
208KB

MD5
bb24820165b683366f1da51a6158e86e

SHA1
ecf450bbad8abc2a3ec035e1871dc8d03731f060

SHA256
49f6532c87f0897c670e2406716869190247d4f5884aca702d9f4714e6f94fc1

SHA512
6d70d63b7d4de30ee8030d10714cdaeca1ae402b19c405a51e46e62408fa3dca0fd2c7332886f9e21f5e1b6b96263688b7c73dc38af8c20f3a96358febbce66d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
208KB

MD5
74bbbdb465604e90b3afab3e309bd3fe

SHA1
9e2f9f0d7518589409c8019021ba3aab0983ca9c

SHA256
17288252363f367a4befe8646c9d4ff2e514864d713946f0a5945be6888e6356

SHA512
d05498bc65fc4ffb3c84e4f86338c4e7f3f0043231ab01253a3d4881f16e2edeea16349ca5af9529e55731032194e8e64cfe85314e7480716910ac80b4b595a1

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
208KB

MD5
a98d9cc7f66e8f46ba46cfc4bb812805

SHA1
57fba9211f7ebe9e160538cd76ae713522e6753c

SHA256
41239e8f3da701c10571a7d91c14dfb3a2461451fd58a173a99586bd5b7de8ca

SHA512
fb924da05a0dc1cb74e9b5d65ad73568389bf9a3ba7a7b1837253f480878ea138d719a1fe9bb129910e3cd52f942bcc640f376e001cadbde685c03bb81f8eec8

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
208KB

MD5
267cc1bab36ca35011858432ea32b329

SHA1
8d093716bd77e7ec34feb5e4414f2378537e1220

SHA256
73874aa7ac5cd2838ba5c30ec8128bf6c98d61c38d16bdba725b0e49c3d2eb81

SHA512
7f7f7d4674e73ad68fb9df4ddd648d1556d48db7e76704be64078451f1ab4f2d8e2d66b0546a94a659ad93639ecaee8c652aca4c19091075fd222b9ca275ccf9

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
208KB

MD5
0354e3923772f3fe61969517b7b47c4d

SHA1
9eaf5225e88e27f6e28d99807c14f2bd79b88975

SHA256
dea8b090f4eb50488c6cfe438e9a4fbd8299ac1bb3ef279a041724da969a68dd

SHA512
6a36e03a67b6c2ed1216af0e6aeea52231ee7678c8b7e559f5ffe5aeb26e35803005b2c2c926f5d5c1b647165258512c65e5eed645ad036272393bf106c019e4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
208KB

MD5
4f29195c61f1efa1037d2e02f2c0ab4b

SHA1
562e281899f86a73f18b4c35f03cc2e3ef7aef2a

SHA256
3396fa297a5793ee6a61baa2c56c209487c853f49200364c1236732184a55b95

SHA512
2166047cbc83ddeb869ba3487fa71c60fa2eff4bddcf0cb74d4559df01dcb0d07efc87148c89f32d78e7beac938899672c383291c34fe8fbd0b2429eb746fd75

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
208KB

MD5
939054e013c0b498f28be8bbbd858ea1

SHA1
d474df949f4fef9cf4e6d640ed57ad377f893689

SHA256
377bd28c8bee8c0656a464a9e61ca604d46b47c742c9a1809d6b097086b0dc23

SHA512
52b37006999955e6792cde1ddff97b70dd8c35e7a749fbde400414da5529d47c22a31bf8ef13e563e1a6797b3b0b63b625a836245bf12a5646264578f5ecbe42

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
208KB

MD5
aa3420ce290788dffc934fe924a34bbb

SHA1
4f0267a1f449dd65ed5f2e7427d5c3432db7acae

SHA256
6d13e38cc2ad625817e4fc42cad7acbfb5eaf8c4ac984c0e6bfc5acbd85f84b1

SHA512
74844d063f8b7b8966761d226a817eb05ae4925673cfbf49fa6e15ec84eddc6e42e9b920b97cf711903e7349937919fc92e422fd304c49a7be24a84754b65ecc

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
208KB

MD5
9a824fc52ee1e25366454e90e2846409

SHA1
7bf8fc5ff1630b784cb1bfae7e7d52fdff06fbbc

SHA256
cdd37a0df4f26953b50200748d45d9d4ec1cdeb1a5936de286d69b80771bcdab

SHA512
8c421bd6e8b5d6f6b308e359b0aafd6add39c8a4d672d0df7d5b0b87cf27ca9081c2c3ad676203ba72c3e5b973e914f405c6afeb6730edcd0517ab67ddf48d3b

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
208KB

MD5
33797075c3bff64ea884d4b3dfcaefa4

SHA1
74defa8c257660aae967a01986ee304031ff041f

SHA256
1609c3af37c8f0461ff686bc3fa4df9b2aeca97bd204014a8b44dce9c71273ca

SHA512
c1e877313f0800994d90ce8f27b0a44820d9665adf6b19eb641d691820359ae40de2dbd20d8e171e8a69474da1ed1a0fd1983fdbe468ff2f47cfbfa3868caf99

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
208KB

MD5
f444fe533157a1e95ad62266a725f1c0

SHA1
3831f22517fe26b0ee3c348e3ef7ab24ec592383

SHA256
1090ec21d8f23e7c746d5541aeeb41be5916c594ecd89d3996e9c7f7dcc7d904

SHA512
89c60d1eb1abbba462082339d177f27b1970a90ecb833db0049423f71f3ec388690a9b6635aa05f835c504e168524df03aca16b473c26babd1edaff39a42c494

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
208KB

MD5
679e082f49a57f3e0aba2ffa5aa5e2ad

SHA1
847c4d00ef584092b57e7c9edb01a615302c4874

SHA256
24c7de959004df792fb45c83aa1f6c3286828028bf3ca7e958d1ec4825b328e6

SHA512
6918bc1b6741bd4588dbf8e41ee5d715c76d15faa5d3bb897a9f81576a1d7f7b7c2d7a56da9cbb9ddde3d279ac9b6fda39ca5ec800ed7d71f97debe4ec22dcd1

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
208KB

MD5
a5c26967b080f4ea91ce312f1affeade

SHA1
f5cca9e4123b4051a57d1917a8337bc47a967675

SHA256
416f799c6d4bb217c43f76b34211e24d3e6474518f0d83815a9753b01af43515

SHA512
73b77d724331c057a8679a296b90a6617d0ec5f83aa2544b0dfe78762a3abda5019507a6d87cc80a923b959f0decd564f78366079779dfe46a621615af2a47fb

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
208KB

MD5
b5bdb0f59c73859aadfc22cf9039a357

SHA1
2f652ccb26d08d506b2c40fc224900fa11014aae

SHA256
9058850b43c560a7083a55c042aaaaa50cda523cf52ed0572b3612ef3b4222e3

SHA512
29e507ad9b62dd2bf532fa718433cbd62a34a15f7476614267d13e3fe2a46a22244201f99d9e8082ed39ee5b6dbee427c88e9bd362a3d5984fe773d46a9f26b6

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
208KB

MD5
192664f43999acbe881b8c6fed8b8f92

SHA1
fc59ef5a0330a1f283d192784da6490fea53a286

SHA256
b5139479f0c5710c4acf3965d8d2a69f150c8834ce7aca489f6a6473146676fe

SHA512
cc7cd6353d941648cc56f670741953f6a4d352cc8bee5cf786c358ed451bbb4751b600eb45b2f07074a107751a95abaf206299ea7d2c416e0b1b10edb07fcd3c

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
208KB

MD5
6c7c954ff1f151f8388eb4772f635099

SHA1
a6eff10b9d5513d05e6fc7de93f54282df4c0b7e

SHA256
6872534fc260a5fe8c99801a02664aa151a2413b7ae880b519608a3357f8749a

SHA512
8d231eb4701731783442aef95e750995df6d6cfe8e6150f1ef2b77d534213860fbb2c2921b66b641d84073aacda819bb1a0b8e4558c7394141a791089bbe3baa

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
208KB

MD5
cffe9be6281558acd5d5fda2a93e4496

SHA1
90aa35a6813c9aeecdff26db07357024297e99a7

SHA256
f2fe6a494658fa6d762452106071a1781e7e1cfaa8bb3e610d6ecb47e7b4dcfd

SHA512
2e54fa2cad457da4a9fd2c38cac8c7cdb8322e30cba05f529e84da461675942e1ad441caf259bfe9ec94a9da3780add99d88e730c55814e067704366a93835fe

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
208KB

MD5
daf21f33d5b239eebb46c99b2a3bab25

SHA1
74d23476a8b7aba7fb67d4057d26c2036b01fce5

SHA256
8ca826069c8fefaba7ba452ba862becf588c2cf7f385e6d439d4879f9ca3ab4d

SHA512
efa9e83bc8a77c725671e97035b65a3277bb88ef585164c36054dca0c9edf1fc1c73a4ee4feb13460514b9170b1007160b215e4e5124f8ecc172af01b6bc8f8e

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
208KB

MD5
752f68399fb6a22d7f32d000f9bd69b3

SHA1
7555e80e85bcf61bf46a0e43144fd2ec30a9bd44

SHA256
1bfe6ef7a9ea2981afa0862bad6be444a88fa63f42492def31584167c87f587c

SHA512
147a262bd9bec7ecda7cc8dec13924491757a27b24c351e5ef72b3bc73ce9b6fd3dcbc03769f6302b8e1f2679b0fc972f913d128be0880de8c698a25bc060982

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
208KB

MD5
bb0f1ad53ab5862e270917aecbc9446e

SHA1
e011be1c2852fcd7fe348f1e3354e03c865ea7b0

SHA256
c35c5194dd4d69a5fe1038e88d8d0fa0040cc916d1e0a7208b17986f0005a2d9

SHA512
b9fc4078b048170143d08024f36cb5413d9b26fc2d456eab6d83eea92e5c2b983b8cdbb6ef52c777f270a9fedae78d044e3854300c9ee890088541206187561b

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
208KB

MD5
f09f4b27c2a7b964637cdb61fa5f8496

SHA1
c63ea0407b9734eeafb4577a94215ecd587baa15

SHA256
f2bc3f216b71880c24acd27a97f7dca0a6cd71cbc0e30bf9f18fe05f256549cc

SHA512
ecd4a2e2bb1bbd0b69a3f0f5a7fff62b8e53351803f011a21c0d9cab49e84737871cd00ab4c74749222b45135eed30f913394a6e9d7e5084c188eb12b082db0d

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
208KB

MD5
0de23fa3aac375db04440323bdc112c1

SHA1
fdb019d544d1d009578b580d669c5c1571c49aab

SHA256
04606c8d407d1fcaae50d5c16f985094a42bcb4cfda1f40330b08e2c4cc64df9

SHA512
1090dd7757bfcfc0160c89030c14454465e6b93b61944fc9136f57900b0c58d8908ed17739900d801e50c8877d96c233d1784511752a755d044829242abefee2

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
208KB

MD5
1f793635811d14f79d600640c4820f7f

SHA1
ee7c96ebb90c340dd4fcfcb4ab10f5a1792cb5ad

SHA256
0f8325635eb8af3d480750c700883ec46febde00cdba002a2fe2b035f1c77057

SHA512
a4fd9a7d2e84ff9f5797d96bba89c35393c845cd599175dccc8a5c4705c6cd67362e3ec581bca0e76b57b0e67b478d2b8931110817296f3300ea8af6d93e9b23

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
208KB

MD5
e85170c883afbd01ed0eb0809fbfc3ce

SHA1
4cc9f90e5ede1a7c52eaa43fc7bd4212ae4b6946

SHA256
b6a5d960d90345b9f3121e1d6e97f5633c48188fa222a2092a657d839e4b0f98

SHA512
d9418df64837a0a34a6ad729aab23410afdb5f101a4674e4f00672663a2cd87aab4e79d7ae9279a270479854943c80573b97ed3dbc658affd3c7f08ad2025273

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
208KB

MD5
bbedbe9169f5f75d8e36c07c940d1745

SHA1
40d67902ea4d4f155dcc007f9eeee6b0d7cd5822

SHA256
e3268fc5955de361678d82e5403ef6ab374f6b1937d31d210ffd50d4c8d64d28

SHA512
373321c1b0b84d967f86aa81ffdbfde5942e8a7aec42b3a00c4d64b9ed323cf0c4f474cd8b4f3156e1d111fd00f9dfc460e3f90794dd9db849d6d8fb08573278

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
208KB

MD5
85858de5e2ca7ef2a34c0e579d12011e

SHA1
31cdb3d3b7fa292dc54d7be8c8c51f9d6c5aa686

SHA256
dc2888289df72bec40826fd584c9c098cfe671adcf05af2e17efb6cf405f697f

SHA512
f281a04041cb37d32514d798dc10becdc801e8b6d4c7dc7e7b538e0ac6a7a7a439f55c4359e7d1af26b92db8ce9338ce219555df1b542355e5c65b809e65b1ee

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
208KB

MD5
2a3eef758327a42373fbf7faf90d972e

SHA1
aeddf3f2709990fe93d84dfe36e9c44f0a96a92e

SHA256
8aac6b525198a8d0540098dcec645bea25f5f846685fba5a97f8bd977cd8aac8

SHA512
d470e42492dbc324661fb2fcf3402089f07bf0525ab04077da7cb688da32aa6d31390b59453b30b415ef30513f74a78356b9b316477e4c0396f89110feb12008

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
208KB

MD5
1d5894d660ef6daeaf9bd86f95302583

SHA1
03cfad73074f3a0a4867485c2e7fcbe1448af068

SHA256
9a96592eb34633c7b1c18ac3859606bb108f1dc9c9cb774a09d7b433000a9bdf

SHA512
e76daf2a6ba155c0f0b1b85ce9d2130e8c44cdfc3b3fa469c94686f745d07f7ba285f4233356d7e44030d83a865fb58dff829c99a4805f837bb011602f17f2d7

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
208KB

MD5
21ff3e389e82e1e7460131243706800e

SHA1
179d322ac2c31b388881805e5c712f4f24d16d86

SHA256
0c741fc41575f8f2115cf598d0f7625a34c47bf582c538f45f2adce4539c0733

SHA512
5bcb82430063de30c4245cb6b71ff2e8d998fb2eea3f47bba32743c291ad800dfee79620d342d6d2cd200131b759474d6298af99d3a171ea93b6de35ddeb1a2e

Download Submit
C:\Windows\SysWOW64\Ijlbqboa.dll

Filesize
7KB

MD5
8971b93cbf035c2fab65f92a2d1f1ebc

SHA1
5b9b783537c00a6edab1e2fbe457995352b96325

SHA256
562f507cb59e05d4d1dcc5262d217f10644af1ce1e105714f3298340a1d18bef

SHA512
136f295c740792d92d799ed081e677ab0127c97e0e53c329ab4072a776aa094630d334eb59438c526471f9fe64c763a53edbffa0151591738db51125d35c165a

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
208KB

MD5
21fbaeb7fd0858495877aa5a32b9c096

SHA1
3f8513d9025fd87c071914030ffb33108f8f7418

SHA256
2e53f090261ce76c3fece8d2ea0469f9058b2f4a9c4d762d73cd9ae49ec777ec

SHA512
156fb77341bbf3fb4e4b4072768543a1031f7bec8c7fb36ba9635d64a7144f6b0a27aa526ff672558462cfe33d9d069326bec7123d97a96b73602e295b4f4f2c

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
208KB

MD5
78c502ca0d28a97d48a37af7982f673a

SHA1
50c57ebbb8c76d981cb4ed266b93f56777ff899f

SHA256
04b18416eab561aec418e8ac317ccc14b37a869a0b098d5b883035538c7e2564

SHA512
5471bf688c2ef08bbdf819bf876121f71167ee910ac3ba23264bdc82b2ef13d02c06908596c0289af4724fbc816255c50321fda33006ccd1cced28e354a53faf

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
208KB

MD5
e29150b9d004690e39fd298fba14869b

SHA1
981529c0c0c59b10feeec90ccd95b5387974dc7d

SHA256
c8728bb30c4c66e72cc3bc91c8c92d3666f176833cd24fd17da9b0abc5d0c2af

SHA512
5cecde4c2ec6dbacb91ff283c320a59b2b008a21a05214c1f9ef703735b7c53863cc9efd25b8db610dc41a1abd029c0e8f771c48ab88476aa80773188a0bbb3b

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
208KB

MD5
5ce3f45c9d1c066a0e476a7e57ed845b

SHA1
7e459699b709179371ece71c63ebd15587fe5e84

SHA256
fedbcc5e87b64a337787769bc7d9c329a8f32a72496b94cc184bd7f1b60a1051

SHA512
6b5c6c7e7f6d98abf7815c3a1c699332f467e7c53b2e33c4b434aa7386e0e7120905c4a0cdfb12da5e81cfc7787b446f4d68fc20d2f89f880d2cc4d25c8dfbdf

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
208KB

MD5
50d0a02c62d7d0d2b8175ae4f3093d44

SHA1
d2572f33447a7aff36670fa40b094b668b170643

SHA256
98e2a73c8c5c5a2e1e1876fee73f168dea1e5dfcfce45d44d4f556bad3545882

SHA512
254bffbfa3eadee60b54e219bf5207940a8d932248d37d24e93ab20048db372ae9ecae3d523545e6df95d65cfd0245b700ed0183f9803629ec69f44bf36ae7d3

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
208KB

MD5
e539cf152cd10025969b93d5aaeecc84

SHA1
6aef31fdf914ef787a901436e3aaa681e9df91cf

SHA256
8447cc9cd4cdc320e4b1c401b32d214ed1aff913c5c6928c553d8b06b96a74eb

SHA512
bb5c35e4cc87a00edcba9b1e525372fb2657bcf411e2e6178d62c60da62bc082c09ae3d063868c679df13af21b74538d5497a7c3fdc0c3ffae838cb85106683e

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
208KB

MD5
303f4b609857355f1e43d22d2a4eaefb

SHA1
4ca39822362fc05434f957dc56ab0bdfed82bf3e

SHA256
4621322feadd8b6990a8c4c993e43303b115077c5b4211d17fefc4577815420a

SHA512
a68d481b43bac303289d860f295afccd5aff4f85e9976339672c18f529fa48b8f7d96178d467fe02d8700e47b201fb51af0342ee587c860bbf92e9f47074932c

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
208KB

MD5
80b8610884a42ae9843c090c64b73513

SHA1
621f41ad9de7eba188f058b15d075ba5d77504ca

SHA256
ad412aebaeb4df4a4967308f085d5460effb8db611e15d7b2fc993a700f679a0

SHA512
0b653958173de8b1c15e336d67331f874ac4a6478a5b1a9a413969b8bf065c2e47f0112a69a0538cd3fa858998f070eec8a4bb68f0fdae274c489bed08f563a3

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
208KB

MD5
af8bb6fa666aec3ac58f3d932d780967

SHA1
d054cd92f8587cfbbc047fef8e4140c563427064

SHA256
9750d11aed6b1e5fe9939ff668a73d5c4a16fd4367db7adafa94ee94b7685173

SHA512
f9788fd365e88cd086e08f9d468626a02e915c46d6e2ad9f85af69ea1e4125c04680a03a593e1eca3a67a3e4882861e8d6efff97a6b38aa5f87b97eff524fbbe

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
208KB

MD5
9ae712d39a66ae5ce3d0fc2e5cf050c3

SHA1
51b3b86176f4cc3d2c82e6aa0aabfb2ad01983da

SHA256
2cd543d80f02b63b863bb1bfe324af9d194cfa3af134d1e9998aeb5865da59b5

SHA512
5adcb4aa612158019379328743033fcbd50e345f0679b860a02ff640a5ea6b821115e2c047fe860b76a82388990e529c29cfc4ba95d2ea9ad78380adfb0203c4

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
208KB

MD5
496e1b3814d8bd5019eae96919361a8e

SHA1
21882a8fc3ada13a153ad39c457f8c64fb4159e6

SHA256
4650d1e696d9fd87364faecdf6842f327c63cce5fb1513322181bbda35ba6760

SHA512
bc02c45fd84f004484f220e656cad993911376bd27e7d7004d0b7360e4d79b94c4c8b98b926ef0983e6ef508d5ca1d69860a3d689ab287342b59e802c22e6873

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
208KB

MD5
861263ff47eab94c9a394f6ceffd3fc1

SHA1
d70a20ecb02e69488e08100e673d108d62ede5f3

SHA256
36319eba3e4ce094afa1efd9b31ea10042be7c45edfef824a649531d9b565b40

SHA512
ad7bdb0507742a7da0e2e094675a9a190042dbe1a561f8d2dccaef8f362b7b34c7bb58c41adbbe31dd0d8667799a5a91535505027a205d95517f25ae8dcd9efd

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
208KB

MD5
ea9814ca68451c1c65867ef6687f87c0

SHA1
fafcf6e996783f8d930cb68b22adf4dc86f29d82

SHA256
180c53c9503d3f57ea19aafe5a4166f4ccbd4e57291f1f9a94b7b85cdbd8a534

SHA512
847a3836512155641cdc3c904ff4b20427550746c2807112f2b2538743bd1091e81eb202c4c914f05aadf0f783ecd6f07207ca1f6a2b1f54594b8a13ce3ca873

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
208KB

MD5
99902498d176e6477b62f8586f63babb

SHA1
dbb53349a6cb56028a5a359511dfe66b70927a09

SHA256
4ddf7b515e78bc7cc28dfcfa02b0810adc02eadfb8af63e3f9c60d021846ecb5

SHA512
912de5640ed0d510e81512876b5a969dea6a7c73fffe296491542d3a86779992b9855abd07fc9ddb8b8c348b27ba31762869c9765c571dfb18fd5e3e3493199c

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
208KB

MD5
f13fbc85dd0b6c3e2db0db048cde6d30

SHA1
99afca7ff990f46db2f580ec852ebf1546b479d0

SHA256
03c63824c8e3d37c69cce0c44bd2c97d360054383cfddcb104f9ab057d2c3e01

SHA512
3488fedcd06ee75f7629f9d4ed2585acaa5de93225067058a1d90193c2174ca0e3ea00cc698832e8ac4083ffa70010aabaebc6db0b25165c39f87ceacb22e99c

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
192KB

MD5
0ef4362ad6ad1bc74d88d4d7af13f588

SHA1
8447b9b923a9f10abc990873827f109e9a5947f1

SHA256
182c6762db06713f9093e85a29538b2f341dbfc0e5ea2ab3650c5de39645bfd7

SHA512
25d9d9178f3288e60622e7035d74f628e2b89f7a7e1881536c93af2d0fab3eb2919e8de67cf6976a88a1b548afbadafb968e7cb416f052868b8c9507f2d06e8f

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
208KB

MD5
1a7804dbd764e0b661b9e0347607074f

SHA1
1f0eb15a783cfadac8c6831cb2d1a0b5ac5ceb3a

SHA256
e681c836b02a1e0cf3420ce27c2f65b2d241feda45e26211c7b5ca62b6e07117

SHA512
28a4c4b36652157003bdadd1c467fd2783ebc0713093eae79522ee4a0122595bbaa65c2786a76b436e76d51b66d718edfe0de796f25d2fc9b351fd7c1290b994

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
208KB

MD5
881d9ade42cf35f0969fd7aa35b185a6

SHA1
24ca6c2a31fa3b45bf322b9fbf1148e768adf1e7

SHA256
27ca2a57e8c755ca9878904399cd548bb1a3a77a6fdc0b8c4492631ba0bf7ef6

SHA512
962dd396a3d21f1dc1c56e8dac2d586deb5997b9aceb21ab0262fbf0e7a801bda786ea547415c5af93cffcc1a1844c910b3168e2d618ea0a19b1fc1cf8a9fd33

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
208KB

MD5
b8604ef9d776677f3374e2c1611829e1

SHA1
6a8a283294ba3647a6ec64148abea5c5829180b3

SHA256
d49a37251d01c24520a743345454ed2e9222d5b7adb9572f8a696744f12d76ef

SHA512
0505bce8b30c8df0f36045ec179af8ae04832dd2c9610fc2e66c45101515aa08e4e5aa837f2fab41f613d57a034688b13ca3b69b3c5f5b95f475fa7e2bfd0491

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
208KB

MD5
e9510162f4d6a2058bc758c9ec163a32

SHA1
43fa9ed272c825044ca396c048e8f3ec078ebd83

SHA256
6be121a98bcdcc58c3091242a8c3adea7e4b09a2c2e3605a0809d087164dca32

SHA512
93faf85f8b0ee2ad98b45d4c927a0d5b9028e9bc6427d81fab71cf7f171e1ac0600227d18dc573146d305e0994f7f49ca53abc552a62adb877319f2363834bfc

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
208KB

MD5
b1be92bcd0080a2fbb99978d75d052a1

SHA1
73ddbc46cf86da7ff663e187a0fe0533360c702f

SHA256
44f2a567c3e26c6908b3e1d5fc303bfbd3088271867e8040f165b0addea3ca8f

SHA512
9c465005ce68f983617fc513b1d926e827f32022fccd96736f16c15b10881823e3762dc7a6d4156721f77efd1fc18dc5e86cf6fc8c20e31d5634bc367eff99b7

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
208KB

MD5
366c32664a6201e747360b6b615d9d25

SHA1
d9f8d2d63da4625087dd5009e39f17d78ac28ef2

SHA256
7f65929be84990e8da3b020120bcb76ee2494eed708a16d9d009eff6893d471f

SHA512
8de99f549359f65aba9e346272ecc44a9226b1ecbc803bea9901b6a0d1e97d6bd59b901aaecb0cc86c5d131a76e7603cb3c3cce64d93a7dbc0bc92a2601aa9c6

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
208KB

MD5
a5d0f32d6c077bbb52f6ea84db299ec5

SHA1
718cb34c03fb0f4c41fbad5a81ede80ef8947328

SHA256
7200527f1c9ed89686e11c3f87f7c3481c3655ab7bbcd050ab868fbe85914f11

SHA512
114a12e2356eb2edb264fbb9fc2e05266594ab05d990ed3995fff41940c962fe9b9623c4595550d7e4b63d29a5867d6f0936b986270803b752d8a26c949b3f44

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
208KB

MD5
d90909c246fae0a1ba3807a96e757065

SHA1
849ec28538871f17a3b226a0a7632e0ef77605b0

SHA256
31c3e7570e2679b705fe96ca38cf2812425e88ab1de07d9cd45f263e2482b035

SHA512
e508e16aa4f96fe312bad2b673189fa6b75cf3b8677eea5b24e860f51fa776fbdeef033f21856742eac2429d82a7c699faa77c8c6952abf9b77a0a6eea89f20a

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
208KB

MD5
60abe521447ae5b2b1bb201286ed9ebd

SHA1
fd223feceaabd242a631ae2b1511cc86b74ae529

SHA256
24a4962c0890946a2a68f4248ff456549507f9a82d898a498483c20e9928f466

SHA512
5efc98b84a20c786d1d4fe0b2f28d60c59485c861925c4cd174f5cc4a15c2c094fbab9e68a7a605c08fea241e9aa66542e9a6ae279871e9546362e9c616cc66a

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
208KB

MD5
2b3ac28cf369757a8004930a07499c2e

SHA1
a1a571654b5df12133e55e76c0b8014774c889c3

SHA256
5c02a52847213933a0799a4ebe82e3df570eb6963fed499f872124170de2606e

SHA512
580bd6af3c5dfa3d294f45f51dfffbf95ca0fa5284d1016a9e830d456d83134cee26c589e57194aa837315c0133a0d8ac9029923e192c5918e6f2f53b2396107

Download Submit
memory/208-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/812-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1328-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3252-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3328-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3328-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3368-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3808-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4904-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads