96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5a

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe
Size

128KB
MD5

aa95ad605fee85239527fd125af26740
SHA1

73f4d2c49fee563fe4486d0d55ea242b10eca1e1
SHA256

96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5a
SHA512

bb2d51154fd7a50651082dfc9d76aae62c15042b25c9e5b3d791475b918fc52abd6c22505cb24503326aad6ce9f55e8c4bb2ed4d15e4fa903666714e8622195f
SSDEEP

3072:kLIm9fXINOc485ch7NKyDrLXfzoeqarm9mTKpAImA:ktf4NMhNKsXfxqySSKpRmA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iemppiab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ippggbck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe

Executes dropped EXE 64 IoCs

pid	Process
3540	Immapg32.exe
3532	Icgjmapi.exe
216	Ifefimom.exe
1084	Imoneg32.exe
1568	Icifbang.exe
4008	Iblfnn32.exe
4000	Iifokh32.exe
1272	Ippggbck.exe
3916	Ifjodl32.exe
916	Iemppiab.exe
3216	Imdgqfbd.exe
2748	Ibqpimpl.exe
4788	Jedeph32.exe
1512	Jlnnmb32.exe
4504	Jfcbjk32.exe
2692	Jianff32.exe
3972	Jplfcpin.exe
4672	Jehokgge.exe
2328	Jmpgldhg.exe
3488	Jblpek32.exe
4924	Jifhaenk.exe
1196	Jlednamo.exe
3736	Kfjhkjle.exe
776	Kmdqgd32.exe
2932	Kbaipkbi.exe
1608	Kikame32.exe
4304	Klimip32.exe
4592	Kfoafi32.exe
1912	Kmijbcpl.exe
1048	Kdcbom32.exe
2128	Kbfbkj32.exe
4908	Kedoge32.exe
1656	Klngdpdd.exe
852	Kdeoemeg.exe
4940	Kfckahdj.exe
2240	Kmncnb32.exe
3752	Kplpjn32.exe
1432	Lffhfh32.exe
5004	Liddbc32.exe
1212	Lpnlpnih.exe
4900	Ligqhc32.exe
1876	Ldleel32.exe
3260	Liimncmf.exe
532	Lpcfkm32.exe
3280	Lbabgh32.exe
4080	Lepncd32.exe
448	Lpebpm32.exe
3100	Lbdolh32.exe
1368	Lingibiq.exe
1824	Lphoelqn.exe
1780	Mbfkbhpa.exe
4092	Medgncoe.exe
2512	Mlopkm32.exe
1908	Mchhggno.exe
4480	Megdccmb.exe
3700	Mlampmdo.exe
1712	Mdhdajea.exe
3528	Meiaib32.exe
3296	Mmpijp32.exe
844	Mcmabg32.exe
4992	Migjoaaf.exe
2060	Mmbfpp32.exe
3168	Mdmnlj32.exe
1456	Menjdbgj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Imdgqfbd.exe	Iemppiab.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ifefimom.exe	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Iblfnn32.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ippggbck.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7156	6996	WerFault.exe	282

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ippggbck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imoneg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3540	2560	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe	82
PID 2560 wrote to memory of 3540	2560	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe	82
PID 2560 wrote to memory of 3540	2560	96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe	82
PID 3540 wrote to memory of 3532	3540	Immapg32.exe	83
PID 3540 wrote to memory of 3532	3540	Immapg32.exe	83
PID 3540 wrote to memory of 3532	3540	Immapg32.exe	83
PID 3532 wrote to memory of 216	3532	Icgjmapi.exe	84
PID 3532 wrote to memory of 216	3532	Icgjmapi.exe	84
PID 3532 wrote to memory of 216	3532	Icgjmapi.exe	84
PID 216 wrote to memory of 1084	216	Ifefimom.exe	85
PID 216 wrote to memory of 1084	216	Ifefimom.exe	85
PID 216 wrote to memory of 1084	216	Ifefimom.exe	85
PID 1084 wrote to memory of 1568	1084	Imoneg32.exe	86
PID 1084 wrote to memory of 1568	1084	Imoneg32.exe	86
PID 1084 wrote to memory of 1568	1084	Imoneg32.exe	86
PID 1568 wrote to memory of 4008	1568	Icifbang.exe	87
PID 1568 wrote to memory of 4008	1568	Icifbang.exe	87
PID 1568 wrote to memory of 4008	1568	Icifbang.exe	87
PID 4008 wrote to memory of 4000	4008	Iblfnn32.exe	88
PID 4008 wrote to memory of 4000	4008	Iblfnn32.exe	88
PID 4008 wrote to memory of 4000	4008	Iblfnn32.exe	88
PID 4000 wrote to memory of 1272	4000	Iifokh32.exe	89
PID 4000 wrote to memory of 1272	4000	Iifokh32.exe	89
PID 4000 wrote to memory of 1272	4000	Iifokh32.exe	89
PID 1272 wrote to memory of 3916	1272	Ippggbck.exe	90
PID 1272 wrote to memory of 3916	1272	Ippggbck.exe	90
PID 1272 wrote to memory of 3916	1272	Ippggbck.exe	90
PID 3916 wrote to memory of 916	3916	Ifjodl32.exe	91
PID 3916 wrote to memory of 916	3916	Ifjodl32.exe	91
PID 3916 wrote to memory of 916	3916	Ifjodl32.exe	91
PID 916 wrote to memory of 3216	916	Iemppiab.exe	92
PID 916 wrote to memory of 3216	916	Iemppiab.exe	92
PID 916 wrote to memory of 3216	916	Iemppiab.exe	92
PID 3216 wrote to memory of 2748	3216	Imdgqfbd.exe	93
PID 3216 wrote to memory of 2748	3216	Imdgqfbd.exe	93
PID 3216 wrote to memory of 2748	3216	Imdgqfbd.exe	93
PID 2748 wrote to memory of 4788	2748	Ibqpimpl.exe	94
PID 2748 wrote to memory of 4788	2748	Ibqpimpl.exe	94
PID 2748 wrote to memory of 4788	2748	Ibqpimpl.exe	94
PID 4788 wrote to memory of 1512	4788	Jedeph32.exe	95
PID 4788 wrote to memory of 1512	4788	Jedeph32.exe	95
PID 4788 wrote to memory of 1512	4788	Jedeph32.exe	95
PID 1512 wrote to memory of 4504	1512	Jlnnmb32.exe	96
PID 1512 wrote to memory of 4504	1512	Jlnnmb32.exe	96
PID 1512 wrote to memory of 4504	1512	Jlnnmb32.exe	96
PID 4504 wrote to memory of 2692	4504	Jfcbjk32.exe	97
PID 4504 wrote to memory of 2692	4504	Jfcbjk32.exe	97
PID 4504 wrote to memory of 2692	4504	Jfcbjk32.exe	97
PID 2692 wrote to memory of 3972	2692	Jianff32.exe	98
PID 2692 wrote to memory of 3972	2692	Jianff32.exe	98
PID 2692 wrote to memory of 3972	2692	Jianff32.exe	98
PID 3972 wrote to memory of 4672	3972	Jplfcpin.exe	99
PID 3972 wrote to memory of 4672	3972	Jplfcpin.exe	99
PID 3972 wrote to memory of 4672	3972	Jplfcpin.exe	99
PID 4672 wrote to memory of 2328	4672	Jehokgge.exe	100
PID 4672 wrote to memory of 2328	4672	Jehokgge.exe	100
PID 4672 wrote to memory of 2328	4672	Jehokgge.exe	100
PID 2328 wrote to memory of 3488	2328	Jmpgldhg.exe	101
PID 2328 wrote to memory of 3488	2328	Jmpgldhg.exe	101
PID 2328 wrote to memory of 3488	2328	Jmpgldhg.exe	101
PID 3488 wrote to memory of 4924	3488	Jblpek32.exe	102
PID 3488 wrote to memory of 4924	3488	Jblpek32.exe	102
PID 3488 wrote to memory of 4924	3488	Jblpek32.exe	102
PID 4924 wrote to memory of 1196	4924	Jifhaenk.exe	103

C:\Users\Admin\AppData\Local\Temp\96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe
"C:\Users\Admin\AppData\Local\Temp\96a75f504a3e214c65c552758cabaf313c58359d8b45276fc3149f4ed19e8f5aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Immapg32.exe
  C:\Windows\system32\Immapg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\Icgjmapi.exe
    C:\Windows\system32\Icgjmapi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\Ifefimom.exe
      C:\Windows\system32\Ifefimom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        24⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        34⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        41⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        44⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        49⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        51⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        57⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        62⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        63⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4888
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3924
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        72⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4172
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        74⤵
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        83⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2936
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        85⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        89⤵
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        90⤵
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        92⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        97⤵
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        99⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        104⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        105⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        107⤵
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        108⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        110⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        111⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        112⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        113⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        118⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        120⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        123⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        125⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        129⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        131⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        132⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        134⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        136⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        137⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        139⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        140⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        141⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        143⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        147⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        151⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        152⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        155⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        157⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        158⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        161⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6216
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        166⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        168⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        170⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        171⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        172⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        174⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        176⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        178⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        179⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        182⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        184⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        189⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        190⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        194⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        197⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 428
        199⤵
        Program crash
        
        PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6996 -ip 6996
1⤵
PID:7120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
64KB

MD5
4dd6792d5b4593674249305f0aeb992b

SHA1
00143c12814241edcd90b4f62eab614fa4d5d6a6

SHA256
85c0a3fa9ab333ce1fe471d46742f35b76c3fa97fa5eb4d3c97ed7cf9c4ad81d

SHA512
c3acec2ae22bf712de8be9d077955910acc9cdf0b2868247388d7e83bf41ce5208df761b058a863194ed4f1d2eb395c5e93a681ea00342ecbf5422aad99f6f29

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
128KB

MD5
7a19195694c8688af5a80c684918c701

SHA1
a632b469ae578e401e11ae4cf2028b7a41f3ed33

SHA256
84019430963ae93b4ff736a4dcf38fe00d59cf187372288854da0d4d821f5cb8

SHA512
003fe5ee23d6dba274f090134ee87b5a6906167d20faf69f65a349011b73cef96cd483c27a678027b1b2f71dc6fc44e0679192f98c346182a83d14980ade9dfe

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
128KB

MD5
f2d6e526a3a2ffac4246ce2bebe1247e

SHA1
a819eed909e1e8555cf2e6767ef2b5fca78f4af9

SHA256
790f38a473f13e283d7f20119625c74aa8d2c60ae9b295a65c18d96b0e70db79

SHA512
08af07a04fa087aede778d2963a68c36355b7b30c4a4e25336aa4c7c4a5021e940d912e3eee919e11bd622f770686ebd7f5f6c9480458d5fc5bfa4e1aed988c3

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
128KB

MD5
f94c1eb1435dbad1860bffffc8835b43

SHA1
7879d9a564a73751fc616676b269769bcac13069

SHA256
96eb36af7c4680e7c8bfa1e8663f1673c054675bb9198bead43cb1bf28f8eb5e

SHA512
49b9a9edf2df6aa8b83f5ae5803ffff3215aba0f51d55fde95ea1f1ceb87c5721166c7b293d0a13913a0b01f6c65141b786175dc712954511ce2c2b6e793b2f0

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
128KB

MD5
db340be3f9bd09d6b87d71728c113282

SHA1
6a37ad6409f5733db4128a77041fe3af91917c9d

SHA256
8eb8f1cc1124c7ef00495872384e6ec8832a09ce57aceefc1c274b8808832972

SHA512
28067f18d63a727d6db675ecd56f904bdfc12cde5c3163365300db7e684861733a3b2de3563e1c8c5fdfd04fe665a17e69efad6e2247fc1638a620e13b94e729

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
128KB

MD5
4e645f470672b8c28eac94a7d99f776f

SHA1
c1cb81c731e7f554eff80dd1f14eff6d024486c1

SHA256
aac0b6b91bb676a02d609556defc179c7528e7e3d0a395e53a05015161eadc22

SHA512
56bc53d7d2ec6d374af7ea607e16c41e7aac68f85a9f5ed613d4f988d7f59b5ee209a3b40e858302cf8f5c1997986f171a7fd363b3efa3221763995329d7d7c1

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
128KB

MD5
447fabcc4f65747a45aac213c4302d60

SHA1
4b8df640b522b7c2d416efa1db392cf96ac79617

SHA256
c1691b6c46273c6fb705f8ea33b10d35ae3e1839b68d8f2ea346f35b28b5172d

SHA512
a4933951b0af87c1dcfdfcc623ece40c31e3fa1ec6fa191579bd7c8a66094ed5f68f0e251afb797915b1467b900ffdf060273348a6fa2c0f895cf081c2f09ea2

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
128KB

MD5
cff988e6ff8f81f63361fb8a19d82214

SHA1
8a2fc201d2c5045dc9f9c89c50c5d72f8399acb3

SHA256
ad682bd4397175fd2fe1639643b6cbe96b0e31a4034f40fa2e5a7a6befaff309

SHA512
cce9499fbd4828c3877076fed9cfb92f16e42f14c6bd9a8eb4074cb329d4e2c513aebc8d493b3454b33b67c47735adcf9c0bdad64026c3a3b3efcdbbee0ae7d3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
128KB

MD5
d8fdc34ae68ff15f69a6ba69b0724f2c

SHA1
3c0a0c805f3a8f43a5df8e435afe97d553949452

SHA256
7627a8c97c990991e99288d689f62db277465a606c02a83c9405f861162f57e0

SHA512
883aac20404bdd3d24f6e6d66767ed948e06c3efba1891c17d2a32f779597b338e80f2089b7082400e0bd1199c7e2b1d0665e5d2a17f69a7e6d894c81259b5a2

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
128KB

MD5
f700b450d5127ea01a94263bb54cd381

SHA1
4d9721e3b8891be661918ff2ed9f4f69080b1b5a

SHA256
df657f28d8cc26331a27d42283422456169308c1f7892f8eefde248a85e8930f

SHA512
a248f739b0ab2a0c97ceff7ec4c323891c7f88953ace9a5c18b11a499f9ec6ec9da5208f9c3b8c5cf17d2be742a9742bf86e2a04c4cb60ab676f66f0cda17e5f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
128KB

MD5
f58af60a271ec08d6a40b3ec7992fef4

SHA1
7fa923aa1fc257bf7169b83c737502d68b1a12df

SHA256
6e204697c9a41de17085753ff8ab493760031effab5f17dda2adbfc3810e70fc

SHA512
1054ab5cb45e862cb803607257cc24d4ec97c98b308db903a28e0b5244b629de3596a4591db762b9db245665dad13b4c3970bfab279cd3fced92e85419c19352

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
03d838e1074c72dc7286768d29808bb3

SHA1
9236fabd28c2728af3ba0170233e83ba160bc719

SHA256
141cf5d02701ba07e07a7db0cef6cbbc741d6f255c43d5ed3686129a4f12f5af

SHA512
45e41bef6a109b2050a078a1e7cde441c7cebf87074560d5103bffe6b184942337f502da9022447b24ad3dcf2d6d19e11b785654555d09f1f76fd0ddc3652ee4

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
128KB

MD5
871c8a8ed53a46fd5be8dccbae54dfc0

SHA1
e44c2c8aa42068b60c701716127c12693c18dae7

SHA256
b49d27e2accf342da37b0a98eda3d2bb65676651f7d9a67b60eb91d9e7d0c149

SHA512
e8f1061083694456061b9252134c4211865af9fd5a6879b5691afab1e5436e4daa497b578204d056d7df31c6aa2e2121c00781759f2f56a8a20d2787bed0edcc

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
128KB

MD5
070912b4ddebbfa1f85fd116407d8aba

SHA1
c8010db0365ba5d3f4578571e123e3aeb0d8651d

SHA256
a127fcb60876779303658c401868069f2e0b39f45a6144bf7a88def4bace6e3e

SHA512
7bf82aac3ad0a8a7a43db21ac75c536c04b332899493f9dae960f585f03b2a1978e2af53d2ff82d477fb596d0f23dc8a2f68abd7559bfa07ababed6d743301d8

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
128KB

MD5
8287af6d5207a5ca5eda8ae98c19746a

SHA1
a255045497be5c48eb34888e0fa60adc070e77b3

SHA256
485c01948ca9e9e4641967dd6b069f3c7c51cf5f2937f8b0057a022b1173cfc5

SHA512
092c973edc486eb83af9930cc2b6434c628fb69416883fdc981fc3de4e9e073600a5cb8b90f4192564698dea9146dfdd79da632d8bf907e77b4e79f9328d6f2d

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
128KB

MD5
1ae8b7e630214e91698bffc3071a6b50

SHA1
a0affb0d3de73e69126a44de0e80f7bd4aae0d74

SHA256
aa16d673b4a47a3399e66be0f3750ada2f40e55fd248eecca7b521bac37241e4

SHA512
552b856a62e0bec1e1b063ba643347149581f4058c49e9574702ef2411a52b1605edf50575cb0f6a26614207213963667957cc88b7368e0eb9e87a63f3aad118

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
128KB

MD5
9dfbe9f9f29395ccfdcb1ecc3c6cc91d

SHA1
ae8921e9cd0c049431c54ed6e81ae91d37ae1b87

SHA256
a12e808c2c7444ec53d52f6a031509e430699077a7baf4d52a47dd6bd1b883dd

SHA512
608aebbd9cc504d143b2c83d03fbd9d7ed76a70ddb5393abf1506a088bbf8a965bae1a61feb49fda15efb14355ac1e34d7bdfbe418d6e5a0b5e457e0a4cdc3b1

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
128KB

MD5
08cd6834bed657308a577d1a0be10cae

SHA1
eb5c774a734a98efa960aa9c3a51db01747acb4d

SHA256
3df3588b0611a161e77fba1ccc7dd8e75e4ae84d102011d250de0ff786ead678

SHA512
35b21f280da834951d07bccc060416ad1a2f3e63291e0238c959031e92761c9e025ed46eeeb698eefe79e28ba014f1395918fc234dc3143f1a5ec252583ca53f

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
128KB

MD5
51221103f6ae5057f4e64abe13499463

SHA1
3119098754d862553e48537cedff8e5a819199c8

SHA256
62893da30c48cba000e0cfac0148b63c4b4693a729db12ef2852a3ef130081b0

SHA512
dfa0238e0a2ba74aa6112f3a06d868952c9a63df34b391d10cb059d1891ae75d5e6591805956e94347182755a2f697665f752c9d4790b0c6adef4c0efd2e75b9

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
128KB

MD5
cb17714c28e6f2d2af8602972142b8d1

SHA1
96803edd330753eadc7a7c669fbe1a60322e35ad

SHA256
79da45137d95220d5e2e6ceef44eb5040348180a26d4eace4caee51d29728947

SHA512
42c7bf8fdf18d888de770493231e702d018219e43e0e122d8d4502b941a09c1d741ce4bf093fd00c09e14636a9941ff3842e04e574d6598c9d7c471d443e4b7b

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
128KB

MD5
952d5bdf09337195c4be2ca116df748e

SHA1
428e08fffcb71524782901103bf56759fd452064

SHA256
57b31237b000e7ab1e525b2a66d1c533fc70564f08614e1bbdd2ed8314833a70

SHA512
737b87340de8994dc6d3c30cb3639be715111269ce6fe006d3666f5d4180079eed728ca107e0f8cb639d432cd31efc063077fb19c1c4fc7ef92075488ab5b719

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
128KB

MD5
0802975245db09741fda57f098c12d4f

SHA1
ce69492bfcdd87fa0f653ba3f9f339b1abdc5947

SHA256
2debd60bac3519a879587a48a05a0ae27390445035cad2dddc6de2a643341af0

SHA512
e5f3d918c909f19aba17f9271a425a688aa7ac32f210e6c9bf6a913b5a3f59603d30db3f6d45383267d73c40e3ea0f15ddb0ce51463ba9de87bb3b337b00a25a

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
128KB

MD5
2d26f99b398bbebfe18901467311e5a8

SHA1
8220d396c01eea57d65e857c3419cff341444bd6

SHA256
216482b3d2910b4dff69d1c4fa1f5650f70054fff3e4d2bfd9fec8a5ed8d41e5

SHA512
743b539b47bc84c0d72259680e0f8d3fbeea82af52fe2ffec3cab17e245b176f91da175ccdafcb8c5e24fe9dbbe6f1c6df5e89aed3345c1faf0a372d23a2936f

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
128KB

MD5
215666a4cefc2083decc4ffc4b756124

SHA1
902c67e31acad7ea5aae178e21fe7e2a017d5075

SHA256
d4a9b507ecb428f136cb241b683a734576c34bfe4add907542d111268650cb79

SHA512
265473e0df1a37fc27090d19cb8fec18bb93d064c06d3fded9ffb8a373d79f9997a10d9c6bae722230b803d69f838fdca9228cee811371da29ac6d5c3287d8dd

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
128KB

MD5
68c293cd5fa16ad79277aff0e66b0464

SHA1
80175232e40996084d077b35e1cbcf02689ae541

SHA256
332020d6d5235d1760d28bce4b0d154520e2005551e8997f0d3d8f51d48795cd

SHA512
0717d107f4b5794de537831effbd847f082f5cf9ab19a7603d90c4c14ad68b30cf5d1a3aa04de427cc262fee0359dd06f022e76a5a745f165c2bf7d18647a4a7

Download Submit
C:\Windows\SysWOW64\Ipdejo32.dll

Filesize
7KB

MD5
b9bad746d0f2629d9ef4247d0f827e29

SHA1
d64aa2150106e0a6f4b86fcfa77b6d35ecc07a1e

SHA256
206c3f8cdf5dddc2ab83b886a14c9b02d1e6f7f98902bceccd8b85020af9c7ea

SHA512
a54572c7a161231c420427e25f8360c0e2bcc2d28abb4fca60b48f688acb45989228781501e16acd2515cfe6795f50c6c7a753289e8261879c1df914a905609b

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
128KB

MD5
f13aefbba71e403d2dc85b02645dd992

SHA1
2afdce9c7470dc336c747cbcfdc243d3b24c7169

SHA256
ea34b57584c83b34315dd8e88957892d201959d10030cb1c4c7c32a6fe0a1d87

SHA512
bf027a141856edf9f4a5124ca957a6523c8e0ac3cd1035357873d4d38d5ca0668c59c6fb47655d99c988a99911603b2ac72fb43a6eb691a52aef40135f419cbd

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
128KB

MD5
93f46e3d928fa53598e54899add343fa

SHA1
a82f77d8c8a0655ddce701f418d103a60dea5735

SHA256
83592047ae615aa42f4c4401183e0be9378558202d88e2d607dbf0e50a1ea81c

SHA512
485cbcc065c644436b7122442ac684abfff7c7950489d311ed8fab3996bf5ed976395b9e803b6c4b83b482a872894ebe910260e2fc01e490d109c4e66bd359a2

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
128KB

MD5
3eee7830da3fa5cf5d504716d0bfdf5a

SHA1
94ae1f105dce5522beba32a0ae0dc0d63a186ba3

SHA256
c3e63382e9f95d4def16ed6d46020d82f0e73955f87e166bd3fa4b9dd2ca2561

SHA512
692229d0385ff2d1f18ae082380a8a98e77dc79bc74e8c1398f3072fafa836577ed8ec4df453e4426810196ea140cb1adf1ac48d78abe5ea67bba730b83cbe48

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
128KB

MD5
4f285e8d0683ff4f406f8e071aeaa3cc

SHA1
6ea857f83ee6d0c6581ddce4e1cfc3f25305ed62

SHA256
6c3550d69e8f90e0b8a028763e85e0c8b976871ef0a165605eff7b1cee0c5f1d

SHA512
cf09977d1519ac80682ce25b521e19443b541cbc1b5a353230218c29f334afbd0c35ca935759fe8cb674353f4ce1b1b876091a4543ab4179d8a383e6e8fc6e1d

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
128KB

MD5
0410ae46080d2fb8e34702bd31ed9214

SHA1
891897591e0cab14b9f16fac6682f906b010c95c

SHA256
11959178bf1f9cb5af76006fb93d56a0046dd59d1da96a055510fda56c202f14

SHA512
4edf50c3f67ef0c07482c93cad4da4c22b3a41b11041bf66d27e8ea05214ef13f6e57111f4ccfd740ba84493ba2e6bc890f7ad66c72ab94e273412aff5cb06da

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
128KB

MD5
c6a694e7cf8eed0ed8534d694deb9800

SHA1
9785667d6a213498082ab2335acced65c7d1be81

SHA256
7bce1db83162e9dbf053f3715dbe380e9650151a422ce209875c6a9535e6bf0a

SHA512
a13f91128c3e3a662f02dc211f89090eb0e4e3c570805ed8246ad37ebd6dc67d84d6f61d27f45fefec6e554184a886b8e9e49c3c5d8a6e9f5e56f73cc2b26b49

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
128KB

MD5
465e6b9dfef8878762821b5da0e5d134

SHA1
3152853553400d808a0d2fb2871d2cefb1b29762

SHA256
010391de77f621171a8b0ca4a85326a309818f9d39271d63e12a304015beafaa

SHA512
0eade935ae3eb2491d9413db0ab60772206c71c08f01bdaaeddca890450a1d3b65c369d138dedc5b32de86808f6eb2d02e5d54c1e6cb26620ccfe78db8a43bea

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
128KB

MD5
f104e0285836bdad84c092c0923725e3

SHA1
392f85a39ab68ee50d6ba8697395bc84c71933fe

SHA256
d4358ae9722749e6e97095ce91545d611a9266a72e52a89f0f17e0362d92f74b

SHA512
ef7f975724b602be692427c5aa74e5987d082d0f5d42fce52726c4d7d41992482a9b2d607d74e9df8050ee07bead4691d7515a566961cdcf99d2627ae93b24b9

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
128KB

MD5
8fd076fc5990b077a053ef61826deb16

SHA1
0ca4b4084c0002c567527e3857811ec59c66e0e0

SHA256
ba696896f65f9cb6c36b11156e96b9aa08eca6580ec18ea888d8146df7d544de

SHA512
101c017ede518ee9248d9590aa2ae90f70b879cb0e4e03a6399612f3948f090afe4580a413ac033b47afc4ce47f013d8a4375e842988b29c5b135ea2ddeefbc1

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
128KB

MD5
a0516c668e94db55c92fff3eadf79b6c

SHA1
6698bc20ffd7367fcab347723dafe438b095e480

SHA256
4dcfc3c84c29594d027efbfead24be4dc649f312f26a683057cfef89a37767f0

SHA512
1ffd5083747abdc49a3fbdb683f218c241124f281744a355f691c61641b577ccd4d7853eb463e12b7f315b0e43514631fe7593cffd109d7826aee342629e327c

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
128KB

MD5
f6f9a8d8f4ddd7c59c6c213bf2030347

SHA1
2c7960408b49fa8350dc12f4ff665550d679fa7c

SHA256
f2db7a1642db7c815e0757acc9ae92c15109689130a8ec3a7c4655e1208b183a

SHA512
9602c954c7f794856a27fd7b823f4e7df3bffda767be7e67e9d594c28f533a1c2a955f1eb4f559d625e1238be09d044b77aa776e6e2c16a9104e48bbe42a7f50

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
128KB

MD5
1fc07bd38631a2c6252527260dfcb5a4

SHA1
9ec30470fdb135d85c5276660b79735a6a23170f

SHA256
d4f07577b9e694cc37dbf26e9eb8135e4ac0ecc60fd1fb40a56722895f036b5c

SHA512
65b93b318f45966be046737585e4d376f5569bcb726643594cdb4134a756eed1b23d7b279b4f722de7a260eaedf56c4cda1d7e97fe39988beb0152a2bee445f9

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
128KB

MD5
a742bce475c063886bd765b5b0453cc7

SHA1
0753e85e8117ef214012bf1876d492b1837e50ee

SHA256
b24b3d2727bfc88a067629991ad394476e4acc8be4bbd40daf1f1fcef9f69a77

SHA512
01fe4de1b89f60415f376dd8284d112641efd859c5e24e13d0e6bab0f9419ac531243568da914aa570599636d0ade404efc0257439d350884f060e4f752c2c2e

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
128KB

MD5
36896754cd6fff63a32cd0d4f5252267

SHA1
b3f7d06df5e0d2b21452dc5053592386793a4e22

SHA256
5f9d9b7865319eca8df98fbc6004a6451c25409b0d0c3da6a969c544c3745371

SHA512
2634d29cf64bde398b927bf0bfcfba753f790e567711374d7849877530d8a265dbf43b785e257d343475893d649301ba1422bed8b08c5b6159f6691d408a4f76

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
128KB

MD5
cb7e59227459697003e957457a42f5cf

SHA1
04cd3a534065effc7cf43dd7d60505e567b9b453

SHA256
c325ce069c35b7943f68f609dff1a1b63630ba9ca8f2574918f2c5eab5b8476d

SHA512
0b90b193bc7953c3a568e81fee5bf52f4959331015744bc0ae5a332007a6ec3960a450a8bc27cbd14d4a075f18b0a46a03c0862ce563010588225ff9db4d80ae

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
128KB

MD5
411ac17ae57728095c9d191e549063f2

SHA1
befd7b8ec1ae92587e88ba4bb75df06996bc7f0c

SHA256
c572b352ee6a3a9cb67cd6c8cc1d6a39de7392cb22193e9e264a79ceb681a35c

SHA512
089f083c5334f5375f6125e7ea8229e96991b6435f60a3d733e03b0a29cc00f0bcaea3f54f8d7a8fe2f2ac5035ce0baed8218c5f81497eaa072e0d06c5aff8bb

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
128KB

MD5
15021c65467fd203a9f842473db99775

SHA1
ea0ab35d8970e96bc00e53b78231e596af4207c6

SHA256
e0d5b007f183401804d97a5fd52cfb5c7db9f4fa8fe56ca70d28d1820e8ae7c6

SHA512
794325cc2e372b104494ddb0234305a295640396fd7451352c9ac4a3b8b7307daed63d601ee52544d511f20fcdc89cc1a1710856e00bde1209c0ec95a619ae80

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
128KB

MD5
f4a10f080d1803d629cf416ecc950331

SHA1
b3539a13998e8083260b6203106cf8aafd97f980

SHA256
320fbf98c85c4119b9d3beceaaf8aab8c1d0c4f7279bde1b49713033688f1fb2

SHA512
81eff360e991e8128b2fe4375a8b5163d9763a18e964ad3e5f9bd24cb93709d096fccac0b107cbd47e82e9979f4ddaef7c19fc4a51bcba6cfb0092989ecf5706

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
128KB

MD5
a9e0bd1fc7675d1e27d026fe6fb8fa69

SHA1
0f7a2c6a10e68d26368b92a8ea1b042d03607860

SHA256
6fad8a3a0ef91746bc7a12f19a9edfc1b2368538dc48d79af021a96b2123ecbc

SHA512
0159286b61076c928f6cb2279f1ad49bc29cd1ed41cd4f0a252a7d6922aec757c8f08630fc1177dfe95c9dfb28e6527f51d3e411faef1e344b00b9c031f55894

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
128KB

MD5
30597967cc80bf43fa80a75a1e4379e6

SHA1
f6b4285a31df6ff802c95e7b481e1faf93af31fa

SHA256
75e6e7be3690281bb3aa5c645ce34e28f54b5b0ce45f5037caa7f017d82d8cce

SHA512
d711d0608124feacf61d1f608adc5285838fcd26350419ba956ece1d1962d625279544622d77b811ca4bc53b90bc59475af2ed08472027988fea4e518b399bc2

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
128KB

MD5
7e838907d4da858b936584b742c48d35

SHA1
6497f5839b95795703a601aad9feadef2007d654

SHA256
de91378b1f2bdb3351aaf8b9936146d40dc4de14dd4d525115004b4275484c96

SHA512
a65802fe8c7dce2bb332047cde569666153891c9114cc275af0c576918d41b4502e645d3b009ce5b3e22867d8973c6d1638a8e5c6c2bb3e0376ac2aad66276e4

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
128KB

MD5
d44026dc001bf1332cbf3915d78a121d

SHA1
e1b7790d8738a9502050ccf03c411e30ec8d882c

SHA256
5fe913c1e8f6517b61070920fc4da68adbda325e0ebe12f41fc78e3ac47acd0c

SHA512
9f4074a8320a56b2593d1535b07332a5ba1c5c3c56cdeeb037b88fb0635c851d33d546cc354c4b893ecfb8b24df2a36f372331aa766cacb146e7754047104a75

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
128KB

MD5
fd04eeeb8c862b02f4bca2e3ea6c399e

SHA1
7c444716620c37087c2d80f547d1a4cd2cd92256

SHA256
d43bac0347aa16b8ffce6f3d9716e03a8f779e09f112b56712f05df6369603ed

SHA512
b9d9ff80bf6f3bb5cf205b64953d3163887ef69f493e65693543f894679e1e1d41b292e77b703c97af48c48c4629b92475f91b4f68d320950d88a960c2863d36

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
128KB

MD5
bb73ee708d12ab3aa9d45237b48595f5

SHA1
569b7c3ba4129b703a269b66c48d605776894fea

SHA256
76b9e71ada3732734221cbdaa0c4f8c4922a29b85bc4f522452cf5c00e769b7f

SHA512
4bb2741d8e77c00e2300e3b4b242d602d1c879e49d22d9e41330de3bfaaa5c98a589017f8c8b68bd82d635fc182a996fe3bf167c5a87b64aa7bda4e71531b511

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
128KB

MD5
edc7890c938f19f6fe866218d614a3ea

SHA1
3bca4d960ed241c442440fb5b564a639b06cd3f9

SHA256
d75257bcbf178f90593e9895934d28294dc582c13f2e74aaf427ee91e7fa40a8

SHA512
a4398336303875fa5095df59c34e9c5bcc5b14d49437aa5f7e223db76bd80426468edcde8afeb7c5d7fb5a3e779248da7042356e81a624684e0de9a90f336fcc

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
64KB

MD5
0fb52d9b66ae39e8783dbbe37b68cd92

SHA1
3838c2b546b2d2a74e894dff7f810256ff64633c

SHA256
35c921456e708a77ac2255f04659353359ad11c1353b8ab15487a07d6e52af92

SHA512
09903308348bef354b6b763977eaca5a7bce30a09e13262ef86d84155f2d4189013a6fa68da3964f4020a11d0f8904dc9138845b76201c1ae5fce302c34b91fc

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
128KB

MD5
f1391fb01abc3268022580b987af96af

SHA1
59c964c26b8a838c3d048ba1fc9c170505c40630

SHA256
2221883913aa1addfd590fa719efaa7e5ae75a26b63e86afa97d8be91f0e6fe1

SHA512
31c2bf3fea805f0fc48b2aaec14dbe326aad66f38ac5091b30bd7e350f4fa57476fb8424bf4d2b702f5b7cfde05a1884766d68f9a3a86237093fb4d959b9f322

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
128KB

MD5
fc678d1f024b0abd303c7b8e63485d2a

SHA1
3754331d37d58ea9e28116ddb78825424981363c

SHA256
7c89947fb705bdd507498c8e01da664b2f6cd0c052305ceb7f926600d33218da

SHA512
2cdf90b25f384ccac0c05f13244df1efc21eee4d91caf30b959123e595b5f24b5586d6f4e2b832153428bd97e93fe246ebdfe2c1c8152c0542370b57260d635a

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
128KB

MD5
9070359435f6bbdff8477b1ca5f442d9

SHA1
6207985ae048d2b8f16ef0fe51dabec593bca323

SHA256
6c94209027feff024291f03b08bfdccaf34ed0365db6c0e78bb1f973a123271d

SHA512
10015b1510dd367307f3ca874493ec4bd65b7de9e6b55ba71d3540ac1c92ab5f057138a1d43fc983bb3860649e677124f17f9e78deaf25770ed152479f21180b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
128KB

MD5
c945ad10cf2ce6c6cd6a8b840a96479d

SHA1
547b1f37f1fb45bc06139f31a40daa5282183029

SHA256
670b09af568a01f72c657efc47092104fb8708d0ed442e29513852889ab50cb3

SHA512
d84feac739fb2e011aba2369f381da2a6fe64bc86d67b469db3aa6671ebd81814a293918e951e5902699e1215cad17965f7b6aab5f46f07c3e1ef9fba044662f

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
096c620894c5393769a4de25c1dc6661

SHA1
64438ca2ad0c3eb1fe0cbfd880319eb9277c497e

SHA256
18e811d082250189cfca6fba3569cb32c018eebc2d75f527f778d4b6edb2259b

SHA512
a5ae0a26ce6eda8d7e71f13d553c077c9217cac6da4a79e68c13c1b5fb04d49db29ee979ddf76e67ade88a751bbe02e632593b65e91fe33a89dd5a1d753db111

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
425552bb7c07053ef1f997afc5e2b84c

SHA1
2067d5a31fd8f1a0f3258e8e54fb6a682bd2fc37

SHA256
76e7fb4cf3b3fb22522435160f9c5856f578562b4e16c6c8b3fd37ceb4126d2f

SHA512
15a45a8f3d130a1d83d50e1bf92bdcd10fa357331992243daf1d0603fd48404a29ccacc1180ef4339e1d7aebd63086e137ed837c96ca303fd149edd2acd414c5

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
128KB

MD5
209940b58c3c724e5587326072df666c

SHA1
681d7908d929d5ab26d0742325084d2e160eb903

SHA256
cfd2c0eea0c2cd79ad354a1a67b430addf14af15ebde125e6cbba755c305f61b

SHA512
1684f8dffca55f0efafc21819919454abbb7cb6ac74cb4e7964250887a62734abf019c34d20cd4bc16d8efac336d17506485fb77c1f6cbe0d6b6c99dea945bed

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
38a8b8008ac3f6aeba7b85442279100b

SHA1
208fb983930376921d7003d1d4153f4f6a6aaf4f

SHA256
5d7c3e72bdc033e7486478b20317e95f7843a33d4d62d1eebf919fe061b68406

SHA512
7134a8bb8bec726c0a0ba0abcf4303e562ed3e0c75f3be60ef32910cf557676d161b83d8550547d79809bc4ac363b12fda9a15212cd43527dcf80b1971ec5e84

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
128KB

MD5
4f112a736f001d862f9c73b88bbae868

SHA1
0ba2698ac7617120b8021b7483d566e1ee3cd2a9

SHA256
cdadf27e12e01046a8d4c619f853bd56dda816a215833b508f1a8d0d710c2db0

SHA512
66f86e62dfcef55d1868c4f11225ca638cf6831518b07bba779be5f11fba607712f84ac9aa5195cb72a4c13f9517af2c873fb7e4bca16b52da7d5530051f1bfe

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
128KB

MD5
486e245bfb0138969be6e5cbe88e2e93

SHA1
df9d2c33ff4bd1261694d49e456f7611579870a6

SHA256
863dd3a9269cb1c2bb5a5ef2158747180a49fd4b52e6683ba98a15597f1ee10c

SHA512
a1201b32cf21cb4a733163e1ffbf4b4d38b146c3d009f9e650ceba3c25e777d125c57deeb3cc30b43fcd2635a6c2f1b4a8f82f066c3e57b6aad001aa6db3aeb1

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
128KB

MD5
417493f73ac23763b8b47673bae93061

SHA1
db87f8548c436470952ee75a3e65195661b6f461

SHA256
5bd2bd4b3d2554b8bbc4808c9a4ad66dd16ee2f3a80e4e952ff260c2b4f740b2

SHA512
31946a9640a5906f51e560d139c2a86dd633265aa56996e26f08e076f6b0d94c1c73fa30cc34b0b30e5cec995eb23c8d0ca2c55bb614143c646774ad2efdd75b

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
128KB

MD5
2727802cd08a91501fcc1595b4e79d2b

SHA1
b15e1d1a263654bc5dcd2d0b3d5011668d7c5784

SHA256
ba5ce20110b51b8e8572f99748cd33f1f4c7042fccf30c7a2629a401a759fc35

SHA512
b999aefdc19aa87ade9d10f6379e2e8e5c053c28d969c7730f6af560d1de20e1997923a4e9118f8acee17250d03799bb899d839318a273600e2b17664d0de3fe

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
128KB

MD5
1a813a94bca1f7ecbf5ec9cb350a2144

SHA1
a3c7386a14e8908e21995e63859f9cda517e3b4a

SHA256
26bc3e5c1df89d8be8f79aa947a10278d7819dfbc023e8154d67655e6ab4e51d

SHA512
8156a1a2ed3aebb315ba65ccad1df6e02ca50c67562322a7238b6b54d1ab7f65a74f963b93acdc960b1b0069e2116c7c8bab06f9fa9eef3bfe36bfde220209e3

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
128KB

MD5
64f288c481e7f5348d198fffd54a1b7a

SHA1
9702cbf16ef97c7716d323849eaf632dea511ed6

SHA256
e9c36266d76d77946c000522a1760392505e0036cd1359762484dd3522abd19f

SHA512
966a867b0ba58a20420922828935adea3821ac930933eb30893ea34414aee77d2f52b01ccf8de1560dc384c5a27ede9147473d8ab7eeab616e9c87f56dbbc837

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
128KB

MD5
6bd1a6a2bfbbef163df8dda611e85ec1

SHA1
ef6e391b5ffc9ea8c72f9e9363a39dea85814538

SHA256
a4d4aab7b096ec343d67e1a0fb3acbc2be9507e4fa0dca1e8179bc9a2efce04f

SHA512
e17ccbc0bf9407a342dd7909d8914668bf766e8e4956c7e17545c14105be55cac7b446634ccbd0cc4330e19dc05326c908d1529ea14c3d5b4a91013f20b9c776

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
128KB

MD5
66cbaf14b5049c6267a04152c335ebae

SHA1
73822823463fc8dd5dc83200e42ec03b45f157af

SHA256
d2a2fc19d90bbda87da70b933a8d32bff1dcfe5b52aa2fa55bd80de740b8633c

SHA512
43a3c41616a3d49f9894b23348f7033ba2e70d015cdb0b5eee8d3bedef77c258854572f4d7a49de0bc2012b9cda6d2853d6271cd8566f05c4b28a38b29d774f8

Download Submit
memory/216-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/448-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/776-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/844-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1196-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1212-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3168-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3280-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-529-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4672-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads