bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe
Size

92KB
MD5

f92e2d2929fca1868e2acb6a33fe1f78
SHA1

a159eabd56ff0075836eaaf045e7e5e7e6b41082
SHA256

bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687
SHA512

122d9c79c6d9bab6ca17cff0f4c0446f3b892a98170f5e7b8e963890f7162b07cfc63796ee9e10b9eb72cc067ebd10e9072b91dc0c8e9d4fc78d47dc7b2b5911
SSDEEP

1536:o/I0eKOI7zK9TDBB9izkvPxCF8GLqXb1jXq+66DFUABABOVLefE3:CI09kPxCNLc1j6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe

Executes dropped EXE 64 IoCs

pid	Process
4944	Ipdqba32.exe
2620	Ibcmom32.exe
1400	Jeaikh32.exe
3456	Jmhale32.exe
1816	Jpgmha32.exe
2280	Jbeidl32.exe
3240	Jedeph32.exe
3616	Jioaqfcc.exe
2872	Jlnnmb32.exe
1952	Jpijnqkp.exe
4500	Jbhfjljd.exe
2128	Jianff32.exe
1244	Jplfcpin.exe
2940	Jcgbco32.exe
2952	Jfeopj32.exe
3720	Jehokgge.exe
1616	Jmpgldhg.exe
2896	Jlbgha32.exe
4408	Jcioiood.exe
4568	Jfhlejnh.exe
4580	Jifhaenk.exe
1472	Jlednamo.exe
4532	Jcllonma.exe
4972	Kboljk32.exe
3208	Kiidgeki.exe
1584	Klgqcqkl.exe
1160	Kdnidn32.exe
1016	Kfmepi32.exe
4756	Kepelfam.exe
4376	Kmfmmcbo.exe
2748	Kpeiioac.exe
4304	Kbceejpf.exe
1752	Kebbafoj.exe
4844	Kmijbcpl.exe
4384	Klljnp32.exe
3360	Kdcbom32.exe
2284	Kfankifm.exe
4856	Kipkhdeq.exe
2520	Kpjcdn32.exe
2076	Kbhoqj32.exe
628	Kfckahdj.exe
208	Kibgmdcn.exe
3116	Klqcioba.exe
4952	Kdgljmcd.exe
4512	Lbjlfi32.exe
964	Leihbeib.exe
708	Liddbc32.exe
2060	Lmppcbjd.exe
4268	Llcpoo32.exe
4356	Ldjhpl32.exe
3464	Lfhdlh32.exe
4400	Lekehdgp.exe
4372	Llemdo32.exe
1332	Lpqiemge.exe
424	Ldleel32.exe
4892	Lenamdem.exe
4584	Liimncmf.exe
1512	Llgjjnlj.exe
4028	Ldoaklml.exe
1040	Lbabgh32.exe
2040	Lgmngglp.exe
1448	Likjcbkc.exe
4588	Lljfpnjg.exe
2576	Lpebpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jpijnqkp.exe	Jlnnmb32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Afomjffg.dll	bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jpgmha32.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jbhfjljd.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6764	6588	WerFault.exe	291

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4944	3876	bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe	83
PID 3876 wrote to memory of 4944	3876	bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe	83
PID 3876 wrote to memory of 4944	3876	bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe	83
PID 4944 wrote to memory of 2620	4944	Ipdqba32.exe	84
PID 4944 wrote to memory of 2620	4944	Ipdqba32.exe	84
PID 4944 wrote to memory of 2620	4944	Ipdqba32.exe	84
PID 2620 wrote to memory of 1400	2620	Ibcmom32.exe	85
PID 2620 wrote to memory of 1400	2620	Ibcmom32.exe	85
PID 2620 wrote to memory of 1400	2620	Ibcmom32.exe	85
PID 1400 wrote to memory of 3456	1400	Jeaikh32.exe	87
PID 1400 wrote to memory of 3456	1400	Jeaikh32.exe	87
PID 1400 wrote to memory of 3456	1400	Jeaikh32.exe	87
PID 3456 wrote to memory of 1816	3456	Jmhale32.exe	88
PID 3456 wrote to memory of 1816	3456	Jmhale32.exe	88
PID 3456 wrote to memory of 1816	3456	Jmhale32.exe	88
PID 1816 wrote to memory of 2280	1816	Jpgmha32.exe	89
PID 1816 wrote to memory of 2280	1816	Jpgmha32.exe	89
PID 1816 wrote to memory of 2280	1816	Jpgmha32.exe	89
PID 2280 wrote to memory of 3240	2280	Jbeidl32.exe	90
PID 2280 wrote to memory of 3240	2280	Jbeidl32.exe	90
PID 2280 wrote to memory of 3240	2280	Jbeidl32.exe	90
PID 3240 wrote to memory of 3616	3240	Jedeph32.exe	91
PID 3240 wrote to memory of 3616	3240	Jedeph32.exe	91
PID 3240 wrote to memory of 3616	3240	Jedeph32.exe	91
PID 3616 wrote to memory of 2872	3616	Jioaqfcc.exe	92
PID 3616 wrote to memory of 2872	3616	Jioaqfcc.exe	92
PID 3616 wrote to memory of 2872	3616	Jioaqfcc.exe	92
PID 2872 wrote to memory of 1952	2872	Jlnnmb32.exe	93
PID 2872 wrote to memory of 1952	2872	Jlnnmb32.exe	93
PID 2872 wrote to memory of 1952	2872	Jlnnmb32.exe	93
PID 1952 wrote to memory of 4500	1952	Jpijnqkp.exe	94
PID 1952 wrote to memory of 4500	1952	Jpijnqkp.exe	94
PID 1952 wrote to memory of 4500	1952	Jpijnqkp.exe	94
PID 4500 wrote to memory of 2128	4500	Jbhfjljd.exe	95
PID 4500 wrote to memory of 2128	4500	Jbhfjljd.exe	95
PID 4500 wrote to memory of 2128	4500	Jbhfjljd.exe	95
PID 2128 wrote to memory of 1244	2128	Jianff32.exe	96
PID 2128 wrote to memory of 1244	2128	Jianff32.exe	96
PID 2128 wrote to memory of 1244	2128	Jianff32.exe	96
PID 1244 wrote to memory of 2940	1244	Jplfcpin.exe	97
PID 1244 wrote to memory of 2940	1244	Jplfcpin.exe	97
PID 1244 wrote to memory of 2940	1244	Jplfcpin.exe	97
PID 2940 wrote to memory of 2952	2940	Jcgbco32.exe	98
PID 2940 wrote to memory of 2952	2940	Jcgbco32.exe	98
PID 2940 wrote to memory of 2952	2940	Jcgbco32.exe	98
PID 2952 wrote to memory of 3720	2952	Jfeopj32.exe	99
PID 2952 wrote to memory of 3720	2952	Jfeopj32.exe	99
PID 2952 wrote to memory of 3720	2952	Jfeopj32.exe	99
PID 3720 wrote to memory of 1616	3720	Jehokgge.exe	100
PID 3720 wrote to memory of 1616	3720	Jehokgge.exe	100
PID 3720 wrote to memory of 1616	3720	Jehokgge.exe	100
PID 1616 wrote to memory of 2896	1616	Jmpgldhg.exe	101
PID 1616 wrote to memory of 2896	1616	Jmpgldhg.exe	101
PID 1616 wrote to memory of 2896	1616	Jmpgldhg.exe	101
PID 2896 wrote to memory of 4408	2896	Jlbgha32.exe	102
PID 2896 wrote to memory of 4408	2896	Jlbgha32.exe	102
PID 2896 wrote to memory of 4408	2896	Jlbgha32.exe	102
PID 4408 wrote to memory of 4568	4408	Jcioiood.exe	103
PID 4408 wrote to memory of 4568	4408	Jcioiood.exe	103
PID 4408 wrote to memory of 4568	4408	Jcioiood.exe	103
PID 4568 wrote to memory of 4580	4568	Jfhlejnh.exe	104
PID 4568 wrote to memory of 4580	4568	Jfhlejnh.exe	104
PID 4568 wrote to memory of 4580	4568	Jfhlejnh.exe	104
PID 4580 wrote to memory of 1472	4580	Jifhaenk.exe	105

C:\Users\Admin\AppData\Local\Temp\bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe
"C:\Users\Admin\AppData\Local\Temp\bff2ca5b21f41cd97dd01b35f0782707deb8bb97366a1cffda0b35f31ca9c687.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\Ipdqba32.exe
  C:\Windows\system32\Ipdqba32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\Ibcmom32.exe
    C:\Windows\system32\Ibcmom32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Jeaikh32.exe
      C:\Windows\system32\Jeaikh32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        24⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        27⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        30⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        45⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        47⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        61⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        65⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        70⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        74⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        75⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        76⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        78⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:764
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        82⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        84⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        85⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        87⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        91⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        93⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        94⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        95⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        96⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4320
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        100⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        111⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        113⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        114⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        115⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        118⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        120⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        124⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        128⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        130⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        132⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        133⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        138⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        142⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        143⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        145⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        147⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        149⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        151⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        153⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        156⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        159⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        160⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        162⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        165⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        167⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6408
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        172⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        173⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        174⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        179⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        180⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        182⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        184⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        186⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        188⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        190⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        193⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        194⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        195⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        196⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        198⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        201⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:7080
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        204⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        205⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        207⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        209⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 396
        210⤵
        Program crash
        
        PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6588 -ip 6588
1⤵
PID:6716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
92KB

MD5
db84590c1ba35991eff99d42ad6ebab2

SHA1
2d0d363ae841889a0dc5f0cad4a52fb520ac128e

SHA256
337fe444442512588a4c6fbac8ae1905d165ffc33706dedd14bb2c3a8e377133

SHA512
9a271419173aa476c4d66d88b21f6967e80acc67a88f9a16bc3c0e548fd03e3fcc9444dbd714aacf4c0cad8a29950bf5f5da7dcb23c896101096bdebc5bc34e1

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
92KB

MD5
64220d11b689507ce216d31710081c40

SHA1
d2e4290f72cc4a5d7ab0af0a1c5b517e341c36a0

SHA256
674868b571e073531c0c1c835addc98072beb62cf28c28155df476021e8b00fd

SHA512
930329c1226514f248fc2ec8371cf7520e6a45ee7a4a85e0f4355e50d49f8db12ced0cfe3b066453544e14a6ec4e7908577d0d45999fe656dab3cc13d81ecf1b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
92KB

MD5
8de527538c84eac163590b23b8cc33f2

SHA1
9c28a314d2d375aa7859e8f164d771d9b07db30e

SHA256
f57b4ea815bc2a40bc0d33c40bb87790b2153905c33513e0a5f85049846c620f

SHA512
06b0b33da75b7312cfc40eb6b01db849535a5591704df16063844de47b55fb030309a5a4f71248f1573eb83de02d5f39068af7cfe0d4bc5f7e555e7a69a35cd8

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
92KB

MD5
3da677ee4c2d23420f13ce741b10e410

SHA1
8ba0d20c87ab0965e595486d00140aa046daadfb

SHA256
d44758a80737ee483e74ed715d24c9939ddb573c09fd3119e9306586f487f62e

SHA512
57f645e47f594002b7a9bec9c0c98814ca44b72cff972c3b4c9249e5b7c2ddd452b175539825075666e2f4b6b8e99b87ae42c022a84f541840a5af225147a7e9

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
92KB

MD5
ca0b319ef8f2f6f40cf3986650466e24

SHA1
8ffb0c3f0bcd90c039506bff71d1595e9828fe55

SHA256
b6046a4c22bbc676d54e3b17df6338d63831b7a6e41408b5581bbf7c08baa7a0

SHA512
6a57079a50a9ac2a89cc0a3a0710f9ab833d93e7d5675eb62d332823a1a779fa1c2c89121aca0f2c3eae2c58cb7c36373280ce898c64baafdc2467b6107e8b88

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
92KB

MD5
0b9edf5eb8077649f4a56b6c58cecf31

SHA1
6d5f0c647580c37d937c065ac9cd92108dca905e

SHA256
37d193bbe8f0f2fbc6348fd94e1b2a8b3873b1d236518083410251c7f89b4f99

SHA512
6dfc1c6337dbf8a57bcf6a4a9981aeb30cd7087923adc16996b9fd7ab22bc5c48018381cb0399d0c5f881b796319616cd4ee6478dbd2b8a96cb5244b7341875a

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
92KB

MD5
f857452e671575c262fa75f946d53c82

SHA1
dca7eec8e025db07b2492f3db9f87a8b744dc77a

SHA256
0b6b9b4c81d3f7949d05d2fb55f7810efb6a3b182681ed8819a47a5f8d229bf6

SHA512
5b10ee3e3a992b5be7f52fb2dffcca8865d5cc6ab76c586ccceb63bb9cb9111466ee62baecdf44815cd15935e011bad1ff79c1b431529839cdea7731558069e4

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
92KB

MD5
50436c2b3b6dadf3696db00ed4b84fb0

SHA1
88949a0cf5b1b9e76453e9eca96b973ff59759da

SHA256
fa3b9fe85c209123fe5b9046bbbc2ac4b237b40f1e2d7289f38afd3fc1aa273a

SHA512
2c04bf6c6c7297d1bf4006e155c40d18aef463d650d2ce48a3e472293004df56872145c1d7e5f17313277db7550ffd04b28c3e8175198385318f505701af0f87

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
92KB

MD5
f1a8bce6c06d450b8e7099a6c942accf

SHA1
090fc27b35fcdf1f376fc41382cf9f974a897225

SHA256
71f51550b5745cf4bbe89e4c7c9a28829c83d2e0ff3717b7bfff4aba38195756

SHA512
043e0bd0928b3f6fc0320c65f77747b9428b562a862cf030aec5f32732190fce888ce2a0a9144f5aca34f08a21188ea8fb42c43d44f90f20f5ecc749e0128cfb

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
92KB

MD5
d88d773f5f1bc48687490840e9914429

SHA1
b2fa46fa50d01a36e1d9233e051be227e3b7add0

SHA256
0133ecb9970375e43557f85b8b768c928b4d9435e31f3595854c93d0ac677d94

SHA512
93c2afa40d6449d64c700e956e7eb1547a3b3f24d7058491a3f4913b017810a51230536d4802f955ddd60d73d1cb65f6d45a92d88ecfae981aa7cfa276ae2b8a

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
92KB

MD5
49c690c52c9e67d7c0daba851aee30ef

SHA1
5a81f4b6bf886d163d927d75971935e2332e9c92

SHA256
65044eacbd9bd623526d73994c5845e07513d29c0db01a40c7c6b3cfc1d9beee

SHA512
4328f574edb2eec08fc2ac2c87c5ff37ce903e3739c7d4f9f5f63abcb9f0b4dd1688eb826a97e8b5656c5ced87dd552cc75395b4725dc40541801118f8bf9f4b

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
92KB

MD5
3f3b3fa83907657e9a160465e89e78df

SHA1
6d644fab59931ea620da818dc27cdbf15c58d06a

SHA256
cb44c0aa74a96f774008d964902714f56d2f503e14a7ef04ac189403e6173e81

SHA512
83b95fe707e2298008679cbfd7e26d9a589cd4693a22287be7f7933eb418f791bd2157632fc281ba8dcd8a825e3e49f874fe995a4dfc0de378a885aaf4f08b2a

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
92KB

MD5
88e26737994cadc6f61cde61261425f3

SHA1
478ab3e81f1cbd30abd72a411af5dbe7b96c9bc7

SHA256
d9f2b4acd6c4cea0739eadb8b6a0c34a5d93e4e17f3fb00f054d2fa29e1ce502

SHA512
e5097d8ee76426191a3b578db8642d9b0f23ebf7f33b2ced695538db73baeea1d4048900036a95eca125e46054adb7c1fd816db83974d7b7c72ff8297889d775

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
92KB

MD5
b161065a2b32634b03731e466ea6540e

SHA1
05c0136a453e9613fe1ab79ac8844f23ea3b1f7f

SHA256
94886f7221341ce82ab7a090802bb339f2fbb6711130829dccd0a1b6007ece0e

SHA512
04bb7a6d9c5bb263d251824312fd6ade7330de9e8900fa5f9cfa56a56d2c4907cf2cd874b39c0a95bf0d3be5270a8d286655e3a840cc096d7ea5e16e1fb22777

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
92KB

MD5
361f62ba01cf39703784212486afe8af

SHA1
ec1b85f32be94b523e1631566f19ffe78117f733

SHA256
98126baceb00f0a8b06dc6818a426251e881ee898571ca2fe48bb83ec781f17b

SHA512
26c3b90a0c5547c290e47e4004a8bcff18aa6a3e84470f9c033a27ffb70acacc28989762c1137da3e52b1e037472735a740938c5cfe3877f8c55c004450ed2fc

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
92KB

MD5
f7eb9397eeced2e87c44db7ea18f4448

SHA1
8d157c3a414414a2ca374ab58dd2b59a916b2dcc

SHA256
b0ee08049c88f364b06df1dbd2d0020aee0ae49d8f1944de5dbc82b2b2ec0001

SHA512
5e181c587b56d3e6528af06eac3c80e050fb44c63a526a65ac95dae30f4ad14f2e5bf0e48fcf366293aa4a7b49250aa27e738e6b3d83279179f73c6c71560c55

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
92KB

MD5
580a6ee40c4d42c233e75e1b8b030df2

SHA1
5063cf95ddcb957e953bfee6ad7cb8ff6cfbadc1

SHA256
79f01a4544eda5c9a026d4674024479d665922d4997db6533cde12e0e9b97b9a

SHA512
d49ab55e030d747201c82ecef4f40bc87e69af7e1fc4a722b8439d083e019ca31ca6aa13c7ec0be5202d124452fda6f73db12f97bb2b3410edf54a767219094d

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
92KB

MD5
2454c7cbb2f969b8d073f92d6915ab33

SHA1
544f9c37bd6ab0daed4f41797695ed41675064fb

SHA256
f9ae8ee219f0ab87137c4eed06eb234e52d9511c978b2042a632b3373d1fe2d6

SHA512
ffbde272d7b597b19223ff8d2471bb3f15bf014e7b19db09aa553ae7f6592cc7b3c9f334ec045a3f106cf8883032e4eeab4fde754f632d16ebdb0bce52ba0134

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
92KB

MD5
d40876923d6c36e828425a03074a0895

SHA1
ac1638db435b8c8ffb3c6eca938f6845538e8b44

SHA256
dbe17c9fc0140504715034673469a9f24b53ff52080f1484e31eff47f4fda040

SHA512
f3148a47dfae3b3898889524b39e64e7fdbeeca7cb640a8777ee3c0cb12f07106f52f745336e989b3c9c03f6701fefa569e735a71b2cf213e5e3c0e30ebce4ae

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
92KB

MD5
7baf4577480d2f29c2629f6970c86d49

SHA1
0a4502a4b2eeb14ace36098213fb3f99cf6bef53

SHA256
a8189de2bb43dce279541e0186eb03ce3f1cdda93ae23724d54688378f2f1051

SHA512
0223542ed40624f56b6eb20f0384349d06175c932d199c3303848ebe2f25314a9346e10a4280fc5264deaa461bee4c9bcefbe3d40a7b1ce2eca702fa8e0fa3c8

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
92KB

MD5
2c534c58c761fbf00b6c832662ee390f

SHA1
c04bd9d05ae38ee8f7cd9542de38573808ff8744

SHA256
d7c2790e62973e4ccf03e3161da11ce655ae549a09a6f44562e6f9c5627562e6

SHA512
9354411fbfb813f3cf3ffb38410aea9eeec4c16083d33dbac8468af6285d3c9965008988f354fbacdf68117443142f46149b081b354068c682f50199b36d97cb

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
92KB

MD5
a5f5619f74cd5368eea862d1d0fbb947

SHA1
8f88c27509a5994ebf14a46b1793f2d518c02581

SHA256
57c6fa908b965f459d5b041d9767f894e7520bc8d317039a7b12ba3c5420ccb2

SHA512
977d6e06eddd5b0ad04d8be4b0be626e1f74be01c26f909f0cbcc2fbfc63e2592190b3f7676df25fe2feb36d01cae9975ee4da3a8d5a742f39d23a6f380d3f59

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
92KB

MD5
738d66f303c81a7ab8a9b7c54bc4dab6

SHA1
186066a0f7a79882ea2978fd75386d6c06b70c8e

SHA256
207e75aaf5110240dc6e79224bc793e96fe5b40bcf4620981e898dd27b5149d8

SHA512
ad27c91f486656148acb6ce395d0606decae97fedc4a48890ac79b9f919095af52e2834ff79f2c039d6302eedff40b4e18dd340f652790ff0292d4d6535bb3bf

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
92KB

MD5
e695183db37ccebe7045fc42d1c57f38

SHA1
8552c6ee51f7364d01d393de378879a5d08349d8

SHA256
2964a7c93d064d1e12465262aa90eac0acc868b5f96ee9cb3bc73e7677bda3dc

SHA512
fa7fae096c48b0fd18ff8084a9d97a84ba1c2bc0058a6f0ecfbb4fa8c78149483e59d16231c62c6f2242ba59d3f84672b5f23e995662a9a505f9921c4acdceb3

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
92KB

MD5
1353b40450040a5d93694aca0e59d750

SHA1
824e91af0103096cdc2b98c80b9fa9e14532d0fc

SHA256
308b2eaa733b8ee8bdef0b53ad86e1f3ea2955762a7b950f1e2c6dcf30213562

SHA512
6072ed3588e1d5eeff3ac01e13f07bc3903c2d6dc68b6d47c509decf426a386334393b3efd07aef3cc43f3c5d17fb451a92d3286404e311523dcf90410a5709e

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
92KB

MD5
430707c928abfcba178e9c48547d017c

SHA1
c20b74939fa1af9e9e333bc58e23cac966453714

SHA256
f481a8e9ba17d4d660ae5173c941673128a455c51a4715c2c79ef6c1b88a1ba1

SHA512
08b977cb4bddbe91ef0bb8ceb838c3c2e07dd33b1cf43db1ca11706c49315548636e3992bdde419373e9d8d55f30946677b33332179a03475ea8ff9d0f707230

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
92KB

MD5
27f15f8227781624c4f468aec4c7ae7b

SHA1
608fb39cbcf2d09fb1382aa45c804918e8e34d0b

SHA256
a3d0d3d8f168b5148049b4eedbd37549f50d8a30b6df02225ae878c5a56266d4

SHA512
50359400af79fff72209cdcc47a2802e0b89929386b76ce5919ae1ff7bf9ca9ada8e332cd1b9e5e4e5e44da89d8baca1aff0831121e1800d78c6862975c4f945

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
92KB

MD5
2e01aa81e1b0a92f5fda6a483c8c39b5

SHA1
ce71ead475dfc54faf894599a9100f74c919eb3b

SHA256
84a48a3580d09313b5d376f941dff08197453d9c77240424b2faeca03a100b0d

SHA512
a9977ceafe722e9954b693ed0dc2f07d437c0f6994c43e4e704e75d3877dcccdae7d0b132375822b8c45d632f8902cf908f4de97222df6dd3949920c8adc6bbb

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
92KB

MD5
fcaa50afc112f62f5e28336c85e0a35d

SHA1
48891657a9f17d04ff4e72b6d4de472d226968fd

SHA256
8f7dd56788f294400ebbd7c217fe4a47ef814f009f570ed9f88028d0ae6b8935

SHA512
6e240a151fe6b4fa4844c34a227e9d3a4eb446df22fc7a48bbbc6da7f4f15d9dc245af89b450cab594b7b915465e151fb7fb1555a812dc1248ca3d933d0c4d59

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
92KB

MD5
ab2a4984ac30d3e7f91f24858c7ed822

SHA1
ccfcbf544c65174a42210e8337d899c88bf4bef6

SHA256
a74042e47e69b94187a91d96c1647b0f501c8a6c2c62fdd9a2a6d29e5d7ea676

SHA512
a1289d3a51c6960878983b673fb42edf7abe6ed4cbce128c2b536c53676fe5bf7a406f71ed047cbc1828505c2628a4026eb8357bbfd1e6d073d03b6d426f54db

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
92KB

MD5
4920625735eaa499ffae24670c1b8690

SHA1
7cadff865391b4871a47912f26643e30c76ede13

SHA256
40f3bee6f4380885b63d7974debfc9088175ec5ca57d0cf5bc6505ab08ac9bd6

SHA512
296723772e8a724570b731a980f4963c3e23fa93462ee76329550ba7ca71ff02ebe82def0ab5f4c83c5848414d441f099a9d8a73b2b619ee0c5eccffe881b5de

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
92KB

MD5
788d4717ace5e5836c1c6832f1550278

SHA1
a26d589ceb690538931b50bfa73491e7154ab75f

SHA256
e6991b0ef9ee0ca03530ad2347dbdacfac0ec25ea63f091cce6915c76f62c2ed

SHA512
b93b2d8709fba9a947e3e8505e46ad7fda019ed9e9ba472565160b77a6376123c1de83dd02bba19fcec51d949d9895bd7e83c2968ef2c4bf992d9e405e9f5841

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
92KB

MD5
a7afdb4c7dc4da497198bf99f11832fd

SHA1
a74c91586f06a1d00d14b308150134fded4d3a29

SHA256
2052b386a592c5a499a9c7c92cc5810fa1a84a438457e66e88686935f7f8d13e

SHA512
49a8d7001eca2f9e7d9a4da48f5841f6a44ff172fca2db3728a4ca5a90f880e039ab49ddec98b050236eccb3c4ddb37195c04bfa3ccca270d6675a75828be78e

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
92KB

MD5
1179432541c90c423c632b678594b8cc

SHA1
ed88e54b60b1db420711f538b2fa306d350612e3

SHA256
05b38390aca67097ec11208ad2b5d3c9965b512152c8b67e8b3a1759b1573b18

SHA512
0d6772562602d40ebcaef7fc2f27e933995d6238d3f44de1291d23698fecab4b58229f398cbd0b19375d5fbc6a4a92ee788b7e58d9c21b4a9a7fd84ab9322b20

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
92KB

MD5
6992de1c69e4006811c0929d1475fe5a

SHA1
bd8cb9d2816b7d6630c94939c1d42e112a3c0342

SHA256
ce429e764a82fac89f5bfdf3639bc08cf312418d0af899cef30989ca1e3ee5fd

SHA512
a93ccfa2bae1d014fec30df72246064c54a172a807987259e5f96c084a6e82a80f1c5942cf1118a9df1afbc519bb0db9795d4247578c2fca49890037378c8748

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
92KB

MD5
b555bf192a1b1cb309a6377177685481

SHA1
afd485bc517c8df01ef033f77ee03209ffd3514d

SHA256
80fc5b9b4fb8f478cada254de16396eab6c14373a8a81b4e909a168ecaf8d9ef

SHA512
de3ef3b0c1097f507fa8b1ac5843b2474a73adcf0d4f865b256b2b04c1d8a0e544a865383c368cb082e21ca6712ba64be6b6dcb4c5695ab7af33024432afcdec

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
92KB

MD5
697232504865cf1fa41af78d358943f9

SHA1
beb25124688d61e1f85a9d185d6a3b286b9b9988

SHA256
d8d6ba84353847254531429ee394f520e4742628ea7cd8c5fba0764cf9716ded

SHA512
26b64b624a0762b5cb92a738f80fa1e66bde6326f1da8278a33e3f49693abbc706ed699e55588c8fe610a1b756c2753312eba07eb12af26770822ca911e8b148

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
92KB

MD5
b5fefa7dbdb6e302c89fc05314f74dbf

SHA1
8fd835fe5a1c7d952ecb2ad6aadc2be92b1dcbf2

SHA256
37a2385cf9998eec8a14efab7182fa5c0d658f12cf0e7d739b66ee28f72a350d

SHA512
b25ec2158e257fc4a82cf9f42f7570da371f815da50e0ced318af1c62428bbe1131f3a72aa3917a01345d92d6d438cf06181c2175ae0c4d7569df8beab7247ff

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
92KB

MD5
8ba0707b77907b1bd4c287081656389c

SHA1
595842ce7e4b94e240f0fcc15b22871bcd30efe6

SHA256
34a5d362270e7797fde33409e21809107565b59448e5fdb2c3e175eb14fbdbf2

SHA512
ec7a5e50307864ea28994a63d90cfdd9929bb5c85f263115b2c6590ccd6a5088516190ce8b441151d10958aacbca7a8c2b4032dce2e3583c5320a94ae96b0f5f

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
92KB

MD5
6b29a3fbfb2b99feb74dc673ab81e29e

SHA1
632aecd5409083d681548772a8ee5b60dbf1aa61

SHA256
1c1aa3df1694f32ca45b37fe879f12d4f8627f9ae31ca8396d336d32dbf11017

SHA512
a586cd6e67dbe84002647ae5fa3771822e0d5bbb7191036f7c8234ce88ea5e0882479e926f8de7263894c9119defabbb11e223dd3d8de9042f0324e4c52c921c

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
92KB

MD5
30b8c2b3295c6136c2dff8dc81325145

SHA1
f196f84b2cfc66b9b349fbecc83cb13f114d8bf1

SHA256
1784f787c36ea0711353c1af4661749fffc007ec5eb42e156dfed2ef15125df8

SHA512
8f3933e61e3f8a084bfd96bb9ca00034b1c24757840c14978c0ad5fb053fdf9dd14b8e3bc86452e7fe484adcb058211ebe65abe9e8e5d769e610a80eae6af48d

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
92KB

MD5
c56fbd876e14d02adf006497d8030a6d

SHA1
5d7f03e2f852c0e9c780ddb79f29a1653366a4b2

SHA256
72d1f53469633a011861a99bd3a94af2bfe15ee1ec112b4ef5e258d0f95d0622

SHA512
2de46b7f122bce5d1f286d061f58f65c31ede16f79ae0d5945d8525362835494255282f55fc72def55140a6a46015325f4640fd703ced3afe5d76ea25ed0647a

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
92KB

MD5
9dc50dfc3da9a8c73c5b5c36555da177

SHA1
e015860eb44023ed1c1b19e5936741a58bfb0842

SHA256
6ee872e282619fcbc15b76b66490ea15b103967f2bad6fd9e0d132670a2f0705

SHA512
35cb694ce998b2243dd11175968c7bf63b1372723df545d17800b28c200fda0e5120b4de1470f57f83d5d19bab98fd86d7532449cd7cddd94a114d129f1c5be7

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
92KB

MD5
f8f36c171b35ef2143761167a81ca9ab

SHA1
e8654b40633cc3ac5ef7b570792c77b71135a4a8

SHA256
cdcfbede8e511a370b3e236877dfe73894a7ceb61e37a0b00afb10099bd1b989

SHA512
56dee418e54c29ab77864cbbdd83a0b3cc8a636a307cfe8ff137b7b5d671f8c60bdf25cfeee0efc09a7f22317dc3bd5208e49ccbc917287ccce9281563753e05

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
92KB

MD5
6029d679ff47acd865e97c0126391643

SHA1
116ce48719d48be641384af485084227c4c87604

SHA256
cc7aac0834feb43386929c6bbae6aaf64ee871ee9bbd711b4757e2dcfd9ab87d

SHA512
0bba347fbf87ffbd5a26f9caf968da1de59a34211dcb2447f08d9c61a5fbca216d8585e99a238f9c655fc08ac821599e8e84823af78c89c5bc41f411591d2158

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
92KB

MD5
17e7d3fc5dfedcdcc15384671edd9739

SHA1
661dab390eebbcbb8de9a97aa811391614e75a5e

SHA256
427357e90f7f5ff94733c71ed1f69a74371f1be1ecbb192e6f630c32722eb1d9

SHA512
400e300923aa98da365ed56d3483eb51bfe551bea1ba6f987e94fbeb004bf99fcbc459c6f179370ba5ff7803acc47986383a384335eede6c8425e1de7e51d7d1

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
92KB

MD5
ec7cc691ca440d9a7d69c25cb0fab62f

SHA1
ad23cef52a24d4b2266fe3b5a006c713cc69f68f

SHA256
56cdfe7a73deec242c00fcd9d8e8d183939b592f4620bd7e9db9d6cda224e6b9

SHA512
06c55097ed2270d1f36302e47978849c5de476969acdfef37c500c8231c2619c7e403b4aa679b6fc63e2703fcce356436b916bb36d0151204f31e2f659e02d01

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
92KB

MD5
9c03b84f4323b8b15247f468ae9b6ff0

SHA1
7ce74462a9a9cb549b366ab004fbda0a5b7bf114

SHA256
c4e5a80ef94019ea4361392fc1debac98ce9b5effe4f7cf812d25f88ba95b6bc

SHA512
6f670aa32beec1933ec9f86aa3b31ed8c1296c9dd9bcd93aa42fff7e65f40e81b393bab7aea4853a0b91d750bd3511ecfad53314a850a92f456b61e956efb6bb

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
92KB

MD5
f145204370dc4044b913b70b1e6d0a01

SHA1
1c1dee675f8cc64f3024e260f85958e042fd0bc0

SHA256
7074886d38d390c9f2624ff775c02b45b4d78d3b0f3b4a1f02c2c99b6c75029c

SHA512
e381bfddc8923163999a56c0a323a7d431592b17fed660a6fd3acba5089e38c3a0d2a794e041438219c26bdb000fc470d2518a4adeb555dbda7c5928b337e027

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
92KB

MD5
f5c1c41bad92af5f1c947c5f583cbc7c

SHA1
24411c37eb3beeffb55c848e6a01e805fa0dc456

SHA256
5de608faf7fdfa1d5d7782fb1ea5e40bc8154e87c511b8ea1ea36d2769ad934d

SHA512
a0527eeac285f9e1ce76b87a751d25e382449331e68fe618379be7758b6a3df1b69aa5e10ff04e81845fd58651c878239eb9d7779b2a06d1d823bcdc8be1174b

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
92KB

MD5
bf468590d61d378c294932d3e9f8bd71

SHA1
e52ab2386eecab5019be3862fa89d8ed2cd14274

SHA256
8ab0dea4c184299c2384821636e30362c63f62158817ed389dccaef511ff00e0

SHA512
3b74b209dfa3fff69b6c94d938cd252bd57a8c5b8a84208e0ec6dd643a05cd90ae1b9369dcd1f58bd7e9f4ae7326cb9ce5acb83057f00c211fd743a16812693f

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
92KB

MD5
48dd31ee52f3f2f1f6fdbad63d50ccf5

SHA1
b8f3a981f68051b6b85e6283f22c49d79d9e5d1e

SHA256
0dabc51506cbe857cdf3a240608b87b4d9b6b777730dd30922aedee62aca234e

SHA512
89dbb8006a36d6c04a423db8a4c3811ad949190828ea9e997e7ed481ce8954fcc1eb30b568601d94fa3f0dfeca22a1ba26afb0cebedf0ce16f7c1a1544a57ff3

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
92KB

MD5
6640f3919062a45cbacb1ed1eeefc0bd

SHA1
061c6ae9a03abdf9bb1d8cf0d4cde78389cc559a

SHA256
266543ebd7a0b6f444e06e243746a400de827ce2694f98f01e2ee9589afe1332

SHA512
ce1944c593e8eed0c86f06f14433cbbcde8039592bb519993534941de327d95536fc0d3b377312ed83bf386755873453129ce9e1f4ad010594d99eaf18e90785

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
92KB

MD5
afa1b1eb652982e7621d64f28284a2e3

SHA1
2c2f6d61d04cd30b4e9a963ea7629235fb92f2ba

SHA256
3f0894aaa24b4c5b457a732ff5756b8110a6571783dc7cf3c825e440f906ed2a

SHA512
6b421c0215129e73861d022f89daf08b75d4c8f4c8426d18d8d084a3c8f4770439add71f091bd060c7efee538688b28fd83887d7341cfec6a4d6bd51842811b1

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
92KB

MD5
65e200c06f19a2bb6a617d4b2d68fd67

SHA1
c0cb80f2ad7271c3374506b1058c3b73aca8db5b

SHA256
69dad0df6e75694e707878df5e5e2c6f5b1db487a271050bc516a8334aec2527

SHA512
7f040d69eeb6be2c92705f8ecdf7110c6ae15a97d4c24288564da32e34af7011826631a140a067bebd087d3836c3d1d480bf7cba970ecc5b93fadd85ab55e7ee

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
92KB

MD5
3f442e5675eda98bbcd38eb5c371a8ee

SHA1
12ee3ac649cf516bced54b7485c849e39bf34722

SHA256
10e36d86133bbe670f7a0a34b6cc2055f60d106dcacae0d8e3d1eab35b09543e

SHA512
03b3c24603c6a235a282005589ff2a45f0aa07a83714ca1f881f49ffe8a0b9d689b79f967e9ec37d422350763dcf26e0e38d955a53d7721e564f39429069b898

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
92KB

MD5
7f3ce3c2eb1e4f2429aab5c7074217c6

SHA1
fb394106b66263df265ff81885a7ed458f70424b

SHA256
809fede54a06bca856130a40f1a3e86a22ef5996b8821f2a41677e29db46f059

SHA512
faf30e7c540872997b2d1827f3dd5e83692c09c625bd2a8df6b5366c66be82dfa8301acc1206e75a37b7807997b64b0a41bbd70e12969f789a4596c9f748100b

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
92KB

MD5
4467963b3e41fb78ddc2bed7e88f4e25

SHA1
940d87845c0b9991e3392739c7c41346554de3d2

SHA256
49d6f70a944ba130ab726ab45dd2ceec319a2fccb897de7af2154998e72068d7

SHA512
c9eeab52853e65923ee19d514a651c4c46d9b856c686ae48c5b1445623cf0d7b2ad6793457f73bd0dd328e9034c140863413f93aac4273ead900bb322f3af1d6

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
92KB

MD5
545f130f2fdfeccd2bdfc94963386858

SHA1
49d7fe59fd3014ef3e5916e3f904157a0009f026

SHA256
55afb3999bfee3ce889cb75e9d9f95483c87e421ed01a189aa5afda1fed68d99

SHA512
b5073b59538850c699386074b50b2fa72ff413a71c43db09905b1540603671e84523cf0927512d55ed2f9c60fecfd271e55265a7a321d55473efe4c9e2da8219

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
92KB

MD5
faed642092b19d574ef53b3f2c61ae78

SHA1
7384ea8a0dd60daf31785c33c275baa23f6234e8

SHA256
0df51f4d3c358a343539cc3fcf069625ff609f7ebc91a2aa4ff7fc68817a0062

SHA512
5c565a2d54546c0de64dbbeec01ca48cd0cc3423a5bc1ed93c65439120f339ee25ee3ba571987f3dfb436df36c8efdfaf1d9f5bfd2830f163d5e7efdce2753d2

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
92KB

MD5
e6797843502ac75bda43f57865f7d6a8

SHA1
52d0b4cef393798d2396d08ac800470f4c44911c

SHA256
03a67b16caf091f125a6f482ecd2876019f4d7a305d34a49ed140b33ba6581ba

SHA512
09cf0687c176a8203f07d44975da147744f803ed2740aa9eb3b4c5e4110e9f7ef59eaf75936a0e63e8bd42c0a738efc24fb416795c2ecb4a3eaecd5346e24629

Download Submit
memory/208-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/424-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/708-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/764-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-525-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1868-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2280-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2280-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2408-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3116-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3456-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3456-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3732-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3876-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3884-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads