c123dc0157920a2fe690df4be25e9af6791505d61ae6747c8da200f386b010b8

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd323a98c084fe547d2022a2c5db3530N.exe
Size

233KB
MD5

cd323a98c084fe547d2022a2c5db3530
SHA1

a84d0e0f2d11bdbf172b813f90567bbf93777d17
SHA256

c123dc0157920a2fe690df4be25e9af6791505d61ae6747c8da200f386b010b8
SHA512

279698a66f98b4215839475e35fcb27faee367e84685dfe790bad419f91d4c1eb6fab7ced90536252917d77ef537bb73727ce21de6665a8c571fd8342d802822
SSDEEP

6144:ZMDGdK4EjfRKB3A4U2dga1mcyw7I6BjtCYYs2:GDGJy5WHR1mK7fVtXP2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbiapb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlemcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcnleb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccggl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblcfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeffgkkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpcdfll.exe

Executes dropped EXE 64 IoCs

pid	Process
4728	Eajlhg32.exe
1312	Fggdpnkf.exe
1128	Fqphic32.exe
2920	Fgiaemic.exe
2616	Fdmaoahm.exe
2256	Fkgillpj.exe
1084	Fdpnda32.exe
3428	Fcbnpnme.exe
3776	Fjmfmh32.exe
1252	Fgqgfl32.exe
2576	Gcghkm32.exe
1832	Gnmlhf32.exe
3288	Gcjdam32.exe
1532	Gjcmngnj.exe
536	Gjficg32.exe
1344	Ggjjlk32.exe
2628	Gbpnjdkg.exe
1004	Gcqjal32.exe
3356	Gbbkocid.exe
3332	Hccggl32.exe
4312	Hbdgec32.exe
2260	Hnkhjdle.exe
3988	Hgcmbj32.exe
1792	Hbiapb32.exe
1180	Hjdedepg.exe
720	Hghfnioq.exe
3992	Ibnjkbog.exe
4640	Ilfodgeg.exe
2372	Iabglnco.exe
2192	Ijkled32.exe
2288	Iccpniqp.exe
2092	Inidkb32.exe
2460	Icfmci32.exe
532	Ilmedf32.exe
1472	Ibgmaqfl.exe
2664	Ijbbfc32.exe
4548	Jaljbmkd.exe
2516	Jlanpfkj.exe
4428	Jblflp32.exe
1512	Jdmcdhhe.exe
4340	Jjgkab32.exe
2680	Jaqcnl32.exe
2604	Jdopjh32.exe
4256	Jlfhke32.exe
1296	Jbppgona.exe
4676	Jeolckne.exe
4152	Jhmhpfmi.exe
4680	Jogqlpde.exe
1448	Jbbmmo32.exe
1888	Jhoeef32.exe
2356	Jjnaaa32.exe
1916	Kahinkaf.exe
4924	Kkpnga32.exe
800	Koljgppp.exe
4768	Kdhbpf32.exe
2480	Kkbkmqed.exe
5168	Kongmo32.exe
5224	Kdkoef32.exe
5264	Kkegbpca.exe
5304	Kblpcndd.exe
5344	Khihld32.exe
5384	Klddlckd.exe
5424	Kbnlim32.exe
5464	Kdpiqehp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Abemep32.exe	Apgqie32.exe
File created	C:\Windows\SysWOW64\Eldafjjc.dll	Cefoni32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Piolkm32.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Nkjckkcg.exe	Nhlfoodc.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Napameoi.exe	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Gjbpbd32.dll	Ollljmhg.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Eeeibmnq.dll	Llpchaqg.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Bipnihgi.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Mccokj32.exe	Mlifnphl.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Pjpjea32.dll	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Bppcpc32.exe	Bmagch32.exe
File created	C:\Windows\SysWOW64\Dchhia32.dll	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Qfqbll32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Elgide32.dll	Bpgjpb32.exe
File created	C:\Windows\SysWOW64\Hkjfpp32.dll	Cehlcikj.exe
File opened for modification	C:\Windows\SysWOW64\Dbfoclai.exe	Debnjgcp.exe
File opened for modification	C:\Windows\SysWOW64\Ilmedf32.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Dbnefjjd.dll	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Podkmgop.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Apkjddke.exe	Ammnhilb.exe
File created	C:\Windows\SysWOW64\Jfdqcf32.dll	Bejobk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmimdg32.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Hgcmbj32.exe	Hnkhjdle.exe
File created	C:\Windows\SysWOW64\Mkocol32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Clhgbgki.dll	Gjficg32.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Afqifo32.exe	Abemep32.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nkjckkcg.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Eicfep32.dll	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jeolckne.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Apkjddke.exe	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Inidkb32.exe	Iccpniqp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7868	7632	WerFault.exe	309

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbdgec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnleb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbpnjdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkhjdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfodgeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoegm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpjea32.dll"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdqcf32.dll"	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbdgec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmmnbnl.dll"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkkbg32.dll"	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmglfe32.dll"	Bcnleb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhkb32.dll"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlncla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmpceo.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiikpek.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abggif32.dll"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakpfm32.dll"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4728	3380	cd323a98c084fe547d2022a2c5db3530N.exe	91
PID 3380 wrote to memory of 4728	3380	cd323a98c084fe547d2022a2c5db3530N.exe	91
PID 3380 wrote to memory of 4728	3380	cd323a98c084fe547d2022a2c5db3530N.exe	91
PID 4728 wrote to memory of 1312	4728	Eajlhg32.exe	92
PID 4728 wrote to memory of 1312	4728	Eajlhg32.exe	92
PID 4728 wrote to memory of 1312	4728	Eajlhg32.exe	92
PID 1312 wrote to memory of 1128	1312	Fggdpnkf.exe	93
PID 1312 wrote to memory of 1128	1312	Fggdpnkf.exe	93
PID 1312 wrote to memory of 1128	1312	Fggdpnkf.exe	93
PID 1128 wrote to memory of 2920	1128	Fqphic32.exe	94
PID 1128 wrote to memory of 2920	1128	Fqphic32.exe	94
PID 1128 wrote to memory of 2920	1128	Fqphic32.exe	94
PID 2920 wrote to memory of 2616	2920	Fgiaemic.exe	95
PID 2920 wrote to memory of 2616	2920	Fgiaemic.exe	95
PID 2920 wrote to memory of 2616	2920	Fgiaemic.exe	95
PID 2616 wrote to memory of 2256	2616	Fdmaoahm.exe	96
PID 2616 wrote to memory of 2256	2616	Fdmaoahm.exe	96
PID 2616 wrote to memory of 2256	2616	Fdmaoahm.exe	96
PID 2256 wrote to memory of 1084	2256	Fkgillpj.exe	97
PID 2256 wrote to memory of 1084	2256	Fkgillpj.exe	97
PID 2256 wrote to memory of 1084	2256	Fkgillpj.exe	97
PID 1084 wrote to memory of 3428	1084	Fdpnda32.exe	98
PID 1084 wrote to memory of 3428	1084	Fdpnda32.exe	98
PID 1084 wrote to memory of 3428	1084	Fdpnda32.exe	98
PID 3428 wrote to memory of 3776	3428	Fcbnpnme.exe	100
PID 3428 wrote to memory of 3776	3428	Fcbnpnme.exe	100
PID 3428 wrote to memory of 3776	3428	Fcbnpnme.exe	100
PID 3776 wrote to memory of 1252	3776	Fjmfmh32.exe	101
PID 3776 wrote to memory of 1252	3776	Fjmfmh32.exe	101
PID 3776 wrote to memory of 1252	3776	Fjmfmh32.exe	101
PID 1252 wrote to memory of 2576	1252	Fgqgfl32.exe	103
PID 1252 wrote to memory of 2576	1252	Fgqgfl32.exe	103
PID 1252 wrote to memory of 2576	1252	Fgqgfl32.exe	103
PID 2576 wrote to memory of 1832	2576	Gcghkm32.exe	104
PID 2576 wrote to memory of 1832	2576	Gcghkm32.exe	104
PID 2576 wrote to memory of 1832	2576	Gcghkm32.exe	104
PID 1832 wrote to memory of 3288	1832	Gnmlhf32.exe	105
PID 1832 wrote to memory of 3288	1832	Gnmlhf32.exe	105
PID 1832 wrote to memory of 3288	1832	Gnmlhf32.exe	105
PID 3288 wrote to memory of 1532	3288	Gcjdam32.exe	106
PID 3288 wrote to memory of 1532	3288	Gcjdam32.exe	106
PID 3288 wrote to memory of 1532	3288	Gcjdam32.exe	106
PID 1532 wrote to memory of 536	1532	Gjcmngnj.exe	107
PID 1532 wrote to memory of 536	1532	Gjcmngnj.exe	107
PID 1532 wrote to memory of 536	1532	Gjcmngnj.exe	107
PID 536 wrote to memory of 1344	536	Gjficg32.exe	109
PID 536 wrote to memory of 1344	536	Gjficg32.exe	109
PID 536 wrote to memory of 1344	536	Gjficg32.exe	109
PID 1344 wrote to memory of 2628	1344	Ggjjlk32.exe	110
PID 1344 wrote to memory of 2628	1344	Ggjjlk32.exe	110
PID 1344 wrote to memory of 2628	1344	Ggjjlk32.exe	110
PID 2628 wrote to memory of 1004	2628	Gbpnjdkg.exe	111
PID 2628 wrote to memory of 1004	2628	Gbpnjdkg.exe	111
PID 2628 wrote to memory of 1004	2628	Gbpnjdkg.exe	111
PID 1004 wrote to memory of 3356	1004	Gcqjal32.exe	112
PID 1004 wrote to memory of 3356	1004	Gcqjal32.exe	112
PID 1004 wrote to memory of 3356	1004	Gcqjal32.exe	112
PID 3356 wrote to memory of 3332	3356	Gbbkocid.exe	113
PID 3356 wrote to memory of 3332	3356	Gbbkocid.exe	113
PID 3356 wrote to memory of 3332	3356	Gbbkocid.exe	113
PID 3332 wrote to memory of 4312	3332	Hccggl32.exe	114
PID 3332 wrote to memory of 4312	3332	Hccggl32.exe	114
PID 3332 wrote to memory of 4312	3332	Hccggl32.exe	114
PID 4312 wrote to memory of 2260	4312	Hbdgec32.exe	115

C:\Users\Admin\AppData\Local\Temp\cd323a98c084fe547d2022a2c5db3530N.exe
"C:\Users\Admin\AppData\Local\Temp\cd323a98c084fe547d2022a2c5db3530N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\Eajlhg32.exe
  C:\Windows\system32\Eajlhg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\Fggdpnkf.exe
    C:\Windows\system32\Fggdpnkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\SysWOW64\Fqphic32.exe
      C:\Windows\system32\Fqphic32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        24⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        26⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        27⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        28⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        31⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        33⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        36⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        40⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        51⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        53⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        54⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        55⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        57⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        62⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        67⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        70⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        73⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        74⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        76⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        77⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        78⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        79⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        80⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        81⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        83⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        85⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        86⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        88⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        89⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        90⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        93⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        94⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        96⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        98⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        99⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        100⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        102⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        103⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        106⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        115⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        117⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        121⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        123⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        124⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        128⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        129⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        130⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        131⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        132⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        135⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        141⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        142⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        144⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        148⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        150⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        152⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        160⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        162⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        166⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        167⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7184
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        170⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:7400
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7580
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:7624
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7704
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        182⤵
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        184⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        186⤵
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        187⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        190⤵
        Modifies registry class
        
        PID:8112
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        191⤵
        Modifies registry class
        
        PID:8152
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7172
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7240
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        194⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7396
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7444
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        197⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        199⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7664
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        200⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        203⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7928
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:8004
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8080
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        206⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        207⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        208⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        209⤵
        Drops file in System32 directory
        
        PID:7424
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        210⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        211⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 412
        212⤵
        Program crash
        
        PID:7868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7632 -ip 7632
1⤵
PID:7796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aioebj32.exe

Filesize
233KB

MD5
2db0a64a47baad2bd8d918a203ed446b

SHA1
ca1c8ef60365bffa8bfe0f5bca4427bef6d0e73a

SHA256
8146f5940ebdf702ad5521018f9a7fa00c3bd3d53082b2da056587f113daced6

SHA512
f1fd977291725e7100288e6b09405db92db794b77927011288a7ae7bca26ca5e38c03b443d01e374e97c45fbbc21d827238189167d066ab48271d75975dd8d30

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
233KB

MD5
ea387de7c67d117dca117702b58e0365

SHA1
e63bc727e07fa07d961c94b15f9ff4cf47f0b9b5

SHA256
ccb04ca20af450dc78455ac7204036adf0a2b0f14ebc03b81ce60037e2bfca6e

SHA512
094fbbbd66b3790393ca57f01d960a8652fbea16d87b9be082266f6d30438efbad698424f4b07825341d28183e47133b5fda18d4b3ed4e1b7571dbf0ec3ef73b

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
233KB

MD5
8ee7dcafc50a1c9e24123e39b7fcdb53

SHA1
b3ea6ae4f88841c94ae97e742a6b85e0daa93553

SHA256
9a3c64d669a383b6912b9cde10c1ee9f3c092d08672db7b4332f55bd5aa5472b

SHA512
cc53ff65ca7dc1413411a0814c8233a88a78793471068bb765b4c3d4a224f98cd8f949b39dfbe120b8bbe843dee6f690a479a817087fb185788e4c43209eeb60

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
233KB

MD5
94233ff03c5f8b4681ccbc7dad7ff475

SHA1
eb391bdbd2e734e7ec77a0462f482d81a8c7e20c

SHA256
c814be5a16f24d9cc0c7b15ef689390eae6631fe6c445efc6b897d46ecdc73e3

SHA512
9f968cc15a7122aba45ce75a09984cafe826a4a48af475dc210e0fcee6b7100d5c4ce886012b472b4be1329c7ba18542acc05b3f307c84b40725b4efe897a594

Download Submit
C:\Windows\SysWOW64\Djojepof.dll

Filesize
7KB

MD5
fdb094c9e319e99de27ea2144249e267

SHA1
45a9bf393a4b34b3503e94c695bbb31c824103d3

SHA256
578cd64619be8af581b964f3b44d726f7ebc1fb36a3e1bce297b0c8888e780df

SHA512
2562aaeb9405fad76a13a257c43e8255d33b778586de9131bda09aa8e2e4e28df45ba2657b060420c48333b14c63ba2d579315230085f8af6791ddb61cfb937a

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
233KB

MD5
9fcc4916aff6f350b188895d4754c38b

SHA1
0de15308ea257b4d2346a00da1b6cabfcf1053bd

SHA256
8351a86b96338fedde97201b02922d6335492be1d209824eb8fdb27f404d8593

SHA512
d73c54e433cc22fb7242616a266aac08b1b23923d8d3c69fa5b224ec17f5dd3ba33334eba914ea3d42499df31c0bd61e5a642bb7f0065c6869aa3efa07bdbe51

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
233KB

MD5
7f5f9c728fb86c1ce73c037256716594

SHA1
704d7382a49ea04d1fdaa516b8287fb7d38a25ee

SHA256
6eb234a1ab853b261d37235ac82cdd1a3670c38378d919986924e06864fc5a37

SHA512
075fa69aa905502c9ad43fdb25fbc4737b35e6271e07110b2e1ca62d3d4dbdf62f1a987e5d83ade2d2c65e8bdb2bc7eded79fae8f439941515bfc99d41d88d29

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
233KB

MD5
baacee2f7701bc379fea60259c75844d

SHA1
19681ab4577f597f4ce61780f3cf2b47948e1d09

SHA256
bbddb99319ce25e2f06884cd562f526c774cbb2e0d93a5a59b0fe574fabdc1ed

SHA512
bc0d23315aa12b2262405081872509282239e3b04c033a788f8f02500762adb80d63da6df7cfd8f6e96d3f06f7232810760187fcee79eafa9ffb06a6b58c9796

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
233KB

MD5
39b4a05b55c67462cf5600e5ac83a94a

SHA1
cb72820447d9cdceb9bbac10190123e6388b0753

SHA256
d1e4ed25aa49bc63946732e31588f005fa133aa477b41b48f06d88bf133a8965

SHA512
8e3f776016a9bcc942501e93c5e935e18c31b4532188653d598c01159c9e8f3773b6a79700a0a724a30a15c3e77b2f3d5ef42c21ee0d05159e0419e8afe8223d

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
233KB

MD5
f15d4f9e9bdf2174333ee8461324a525

SHA1
66d517da7405e9b6db73d160c9461ca722d01812

SHA256
47b6e20ccd0af4156c1a24b318468e49583febb40e34fd80a313e55f78459ded

SHA512
cbec1893884accf4457ed7028b36224468098d0bcceda0796d72a3544cdca5facde53a3229fe41044ee3e959ebf3e2195162046737cf6c20c9697d6402089981

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
233KB

MD5
037d39a88f3d7697d3e8108ee41f3160

SHA1
d6d8ffa59eec3ae4ea1119bcc1e6f6d0cafcd73d

SHA256
e200b0e03c5d8cd57e045f31ab7c0bc3453fae12bd4d5ce40d12d62d0e61046f

SHA512
dc7d9977b52acd38356fbd8322e44143ac7cafc2372038f85516ce297a70fad6652531d5affd321a58dbedc6dc474e77c6e7a57a0ee95e7bd9e4f6975f9bf36f

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
233KB

MD5
ed07a645de5c27a8c9e9dda4ed3c6c88

SHA1
f4d46363b8820a3541463eb4e4d4f7e620fed8bd

SHA256
fd4dadab94feba7607eba0735650cc9b8214037d171f4dbe2ce93342f0693613

SHA512
ddd907f7b9e25538448820f60351190894098a3b84c18deeeff275d61e43df4cb729f8dff86f0956d96614acf0c8fb58656f970fc5b70a3342057c20a462ec2f

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
233KB

MD5
8c85c4548b262ff21d05b5e40c2e6ea5

SHA1
df7e5ad3ced70f88060f7a405185a73d42d4dc1e

SHA256
43e364b0237ba01f772656691073e1759ce4fa681e0ffaf557d75cb1688c4cec

SHA512
55a346fd092f7485ae959050b9a9bfa0f4cdf80fc23f53c23aa9cdf8f31de41efdf92c13cf4018e2f74c56e2194393043554735e3d1854c56f9370c05fff1c0a

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
233KB

MD5
753f25abc9d077db79f7447ba81b4acb

SHA1
cd6640746b7b70d8b2de5cc6482b9907ac8b23cf

SHA256
5f1c66dd8cbeca13898c5666affb72b77ddcd82b5d9fb9a04bac9325dd4e1c01

SHA512
a7fa987e976362cfa54b2af1a814abd569512352a277d705e4ed5f2a262cf22e9bfb231b676e74012e8b66294c4fab96fa28b2cff0972b25c388e16cbf189b6a

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
233KB

MD5
73710b83146736e29e7012ba9cbf0278

SHA1
06f2b55884654601b28b76616cccc466000938be

SHA256
9a718ce33830689cf7f516c2a377ac1e8df2478d77973f26574a95c24bd1676f

SHA512
29779452811ec8b949e7b7408c2d7205eed919a9e4ebde21ceabd11b5602b75ca927a3089e960bf17b3b1ba3b348ce0b2ff803387b05e40a3d88daa13dfc61cc

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
233KB

MD5
a6bf139fda399e6dc620c93a095ee690

SHA1
f07e11bf52170ded9a961d9e20e17a68436c19a2

SHA256
8c99289549615fce418ced7c88f1afb28ae08e35f3e8f4ee6c4deaf5a79f068d

SHA512
18ecb786c9b66df5ce94d7c8ca2eef95f0318e2677395fb6b0a8e4616c213de52464118ef6455c631b7b1d1d2b1cb2d91e93587b66d0ed63c766938221162cb6

Download Submit
C:\Windows\SysWOW64\Gbpnjdkg.exe

Filesize
233KB

MD5
894403132bd80e0a37d596374c5b8d08

SHA1
1ff4e1afc7c0a2fa716e4e31839a334f65f5d090

SHA256
bcec09d7c86d753bebcfa8bb4e3aa924de9cb16364b05acda1bbba2232c223d0

SHA512
e99c8a970291ca2cfcf1cd3aa913c86719db626bbc0f5bf415aa28b7610b2adedcc0b74e3803f4f1e75a99b87c9afbc881646f931c8b977f0b660f582181397e

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
233KB

MD5
25ba83359599130f0e3ef0796ea3e670

SHA1
1a675e7bbe349e1d2eb5937c4eb462b20124a3f0

SHA256
f9d2efff66a2cfdf80b5f12cafa928cdc0167d043ecf4de71f47f42795697724

SHA512
28e01b2430b93db8ba1e29ebdfacd79a0c54db358e938739a1e706b0e49db247bb95c3a9f430dbb849bb678417124a3a7bc52389c1fce6d68f3361b40a3c8bcb

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
233KB

MD5
8c3278a1f3c3f59a3697852949c82ecf

SHA1
6503114bb2e2eacf226cf752af20c51ef6103dfe

SHA256
9950e1a705aba2b0d0495a2bc5232cd82b3c36d883bf6801c834cce285c7340b

SHA512
ab588e539851a5ba683b4a175670abed137abe3f74953850b24e0c9e79679532dfd55e760e1a6710109e60d84cd607fa9ff6cd2f7253f7fb1541f6c94a8ea92e

Download Submit
C:\Windows\SysWOW64\Gcqjal32.exe

Filesize
233KB

MD5
9f5d92b54308192306c72b36ad3a0006

SHA1
60c90b2634c102bb9abd1a32eea517803d3dc673

SHA256
df7df6be90f68873f41a2b25bef3e31a5f222b3efc379e5f31ed50428a0fea0e

SHA512
6f0caec03501c304d6efd1a5be0b336fad0269ae38357285a2accddb970ae5a99f17062a03b5966a32719ffd451baad950812e33fdd7924a441f18450de04569

Download Submit
C:\Windows\SysWOW64\Ggjjlk32.exe

Filesize
233KB

MD5
a71eef1a70d0399a82bdba210a43a989

SHA1
6291e367c396875727821e0b2920fd2090689bb2

SHA256
870cc3cb7ac873273fa999301e3cf117f874cfc1aa3359891e8c7c597ab21059

SHA512
76867b7121b29f8422806acd6f75662dcc16f85fbf1754c20f64865a1bf64e1927f50948b2f6a4844a0c6bf8aa28b1c62c8e4819be517362da6039ac2827cfbc

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
233KB

MD5
64ebd27b34a2f7af6690d92b0d191dad

SHA1
eb2b7f6bba3a06d5715dcdb7548bebb49784cb2d

SHA256
ff4d7d72a0dda6144fe7eb522cb417b93fe5e60b43aed032f3e6257d95c3c83d

SHA512
c48dd5351e74c41d44a3538d25a02e470e93048cbdace0dd1168ed59da603dc4720c53d9a1aab6aeabcc83fdea8cf5458e9ffc7126f286b5e053a789e8fdd20f

Download Submit
C:\Windows\SysWOW64\Gjficg32.exe

Filesize
233KB

MD5
f07c7c9679c7ad6612a0f103fafce02b

SHA1
25499caa97bd783d9dafedcd4003bb6f1ed0ccbf

SHA256
1994b3f34bf1b784e3370bb3435ad58190ff0876fa2518e3acee8a0a4dbc328a

SHA512
7f72ea1a6f14b482f73fd7cd1130731e4b246c71dfe23cdb942d875ed49ecbc829cd9bcd648b36087ad51255cae95ed2ad43a990e8555b45c2a9293d80c320c5

Download Submit
C:\Windows\SysWOW64\Gnmlhf32.exe

Filesize
233KB

MD5
eb41c4affbf16421f0564d008208be48

SHA1
724507937afdb6b2a9397a1d30163f85878f6308

SHA256
943accc61fca62b3fab63aacb5fcab2e9cf0eb146e8851a517f1a59e4704735c

SHA512
85ec09d1b4fb97fab7d8303c1ee81dbe0ad203a5f8c3fc8e79d42616757596bdaba5b6f82fa907c4c7f3da44c42baac39351a2410543bdc0ccb17c37b5514eab

Download Submit
C:\Windows\SysWOW64\Hbdgec32.exe

Filesize
233KB

MD5
c15862d95c0602621ec09b65ba958257

SHA1
6ee3335ce6980ff478d6756c39f0761f9b0aa605

SHA256
37f9ef9473850a23467d14733476633dba4264f1453438c4fcffdc5b59bfd560

SHA512
87edf31716808d53636a85c99da0cb6563606811e53bbe374378fb5f9d6a468f4ffde78152611df3705f8ffb54252fa179c071ffc252c8143fe8e71c1e8ec780

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
233KB

MD5
87c2efa1ec0ccf8b5bca9613a688ce18

SHA1
de8c0ef25b42ac70e95cbb89e45cd876a7f6ef80

SHA256
f47a75c025b1a51e31d79e23916391ce01f6990752a4c01dd042f24cb8929dcb

SHA512
0fddfb05a6730eca06ed197a0c29765a0c24d34e18cfb6ab67b6b34e2d984d1456f1e41378d7ac1b58db6d70724a7e4999838952fca59fa2080b32bb11577031

Download Submit
C:\Windows\SysWOW64\Hccggl32.exe

Filesize
233KB

MD5
f49afa961e5d6f95ec116ba01c283cd7

SHA1
2e81ab5719007578d35188508c0ca831bebeae45

SHA256
d877e44ea9befcb6b08c9ac74285128e3867f8b530819f80ec3d69f42d90649d

SHA512
76a5e6b22a76f00ed8b9ce1ba86b022f159816376fabac6b3d9821dc9afd6eddf405d931b3052de3c6383e1ce3b8cb574cc54b46288604d7aa8159493b63476f

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
233KB

MD5
a6a7483b9d65245e53f5e8c097da825e

SHA1
0a95cf03f31cdb25e5afa57063db7ce2a5d9fb87

SHA256
c1d42706dee379b138d95754fcaad57b5a1fe649874a7a74d42a9c04d716984e

SHA512
3963705773211f1a2d27bdb14118d6ebea1222ba65cd9151b1dd2c767dac7fff130ad62721e49f3dc58970801358131eddc02acb73876c48bf1a1ab80a24a814

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
233KB

MD5
47ad8613e515d34ae06938bd78d09fef

SHA1
d63a6bfffb27ea4321b997cc0a248e81bac77688

SHA256
a238427ddf3a29bd768db5e7f6be6e0848b72609ed96a97eb893b4d47faeaa5b

SHA512
6b53277fedbe9503448601feb6c0f29dfb3316a5e617c0afbd1483764fc3c792291b9a270bfdb30663d21d648242a0a7a54f47be0cb0bf01cad1eb8a1c832ef6

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
233KB

MD5
0d8d3e3c4acf8798a3345069118b29b0

SHA1
d63a7fb3df269ac56b298a17574a9c044a69749a

SHA256
34aa10162ff3bab6c603a8eea9924eabf03f18e422609dcb48d5d909fb252650

SHA512
d1afa9731b92a2ac376ba7088a2ae4f0ca83fdf43db166472abbf276bb5e88fed2cdf0b276e78f92eaf98a0fccb68fdfd309457de1a4c9e90d4c7685986bf3a3

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
233KB

MD5
407891e100c2d7a3a758161f7f03e198

SHA1
cafc61a334bc283a9dfd9876f3e4a96c88b9e0b5

SHA256
8ab92af94a62400039a31b10f98765ba58cdb088793722b4a2bb10a20b85f4dc

SHA512
902541391a61604caaee80a2058688fe9b640f15f7054de9e2d00ba8a6f2c12bd680295aeb2390865a43ca6c342e89e706b9c355505495780872771dafc998fd

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
233KB

MD5
dbc014197a659d45061eab217aa6b983

SHA1
3d58374d175044f4e09e671b54493405fc0abdfd

SHA256
607bcc367c74a3bf6f2236a77da2f24451b713819d3f53446148723b51f97483

SHA512
0eb69bf23e6f12c597fb708626f14405df94be0b33bf38fd8bf848fb894b586c35b159dce8e01ad3b7c108c5ee5aeab942ca8ed74589e3cc473442ff693d45d6

Download Submit
C:\Windows\SysWOW64\Ibnjkbog.exe

Filesize
233KB

MD5
3236e8b8bb4f17e14de3c1270b6dc971

SHA1
176bf1cb0d82a086d51d85a21cdf0020b5c64544

SHA256
7238457ed7e5b7c4919709522f47c54e38286693250a693223d73860f4d90df3

SHA512
5cb9f4626ff01b562ad8838c0bbf7865127c955805a554aa14a1922a885a2d1948120f3c418a675b91e2675d42a69f9ea3b82b4af54152067687343906e62576

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
233KB

MD5
30403c83c50f4c84ec0e3f59258cd6aa

SHA1
b33de4ac5d6fade9666f8d28e44656fda6713845

SHA256
ead862a9f17a82d37a30293a40ba5dd29dc269dccfa60ef7620f93aa8d5fe83e

SHA512
fade92db477affc31c4c884b2550bac8bad2ab5b6f08087c566eed90bf16d1e37ee2b6ebdcb843f7de3655fcea1cdfe274bd9e8fd0a6a0d10723b28a52837971

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
233KB

MD5
11b2f24614930d1821d27ead9043fdda

SHA1
dd69f07514d19a72191e0edf4bea76075d8ade4b

SHA256
55924dc1d5e7069687cf21b3c5ca7640b4c96e6b7c59962278b599273086c31d

SHA512
6708fc4621bb66de968c785f9265ae25d73b93cd1091f9d67972df32488ad0197bd0a5da95b087591bb0a21b1a79c1ea777c327a356fb8514b0eafea997365d0

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
233KB

MD5
8cc3d25dfeb0211e99f481d2e7f73fdc

SHA1
dc25f24f89828fe8c7e2f9713317dc52b11053f9

SHA256
18f4a251cd2f9e0142635670e8f6e08805c1cfdae5a6488adcd492f654d094b5

SHA512
44d4d689e6e3f386610e0895b70b19be4e6240452fbb8d5fade12042d222bd4f6a6fa054c063e7611799a64ceb4203517a2282a3b8337cf588c6f1e8d801c0f7

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
233KB

MD5
86ed8ac54046c78471ec7f50f29530f6

SHA1
106a6ccac5395ff9304f0a4da91497c658afb320

SHA256
42acfe4c26c894e877b71f1500341a1f46046a06880ed5f4f9517ce83b66b790

SHA512
aabd4b4307c21f7a4307f2366eab9aad58c16ef8152ff6961dc1a926b3c39446c69f4a8e5d059e344c5c1fe9214fd8473b21beaa641e70ff5fee9251c73f7875

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
233KB

MD5
8699ce60fd2128d6114ae2d6495a5101

SHA1
e7b932ffa60d3ee663ed811a4ac6a6137b115f3d

SHA256
2166089a57240adb1439f800aafdd7ccbbca2aa83c4f95cea42eaa11b46faa64

SHA512
e737dca8b08e750756e6dcde801bb0f0dee30b345fe27afdb542aff1deb78372bf162dc3d83bd6b3266955d617351a51d53bc571fff2a27e03789e50ed84e52f

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
233KB

MD5
fc420c21880eaa02d2a145a06d40cac7

SHA1
5f89bce464cc3fe8b86f0d0a1d7a4e2ce3455274

SHA256
4c769e308ce868937bd709dca16f73b6f4b9e17e70a5dafb4598877a47efba0d

SHA512
6d5e629793ccf6acffd204c06b15a7be45e0d605a1e950ef9517ae784bd5de1531ee8f61cb43b71c6c756ee0e7f503c8b02e8f57213b6def87f724691163932e

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
233KB

MD5
ba5de30ca847a7da9b0c242d8f420213

SHA1
94d5a4e19316e4dfee3f86dbeb41997af13e76a9

SHA256
9399b7300fc45f4566a6fafae58eeea7495ec656632b4e052b199df74228e6df

SHA512
14b49e790b1fc941c8176d56c89a884080e22658957878d612db70b1b02fb9de6dd673cbe2a496520bdcd3e30278e40ce57f4b4786ca8555669fd10ee0245e0f

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
128KB

MD5
fcefe2bb4e8a69b62e85d87ff5ec89d9

SHA1
9ecadab713e70fa6d87cec731830271a27ce0ede

SHA256
53dfe8048f07e76bde1138d59e70445d7c740023ee2588858a0cc284427e1f28

SHA512
89358ebf5002c64f2010b8a9f7e0de4d140884065726b367b362adabd3ecce79da595801e97cc5a4d9b96c90e095919c444955d97e64e1d5cc1784c18a1ee148

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
233KB

MD5
b455f547acc1a3c037d8d33d00e2f155

SHA1
4b6aa32a405ee9d09816c0c93da148c67f93ce55

SHA256
095fb65c9855aec4ec74c3a64820faa0b723c0cdabea436201a55b32d2223b61

SHA512
8a42a5561da124684f12c636a78357fb786be3e2c0cfba6a00e4b4c23078520488a5573544db79ea09147cf421c70aeeae489a74369cf450a76f3d624e61317c

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
233KB

MD5
b79b368c78b0c1f4e3aacc66468cf569

SHA1
b7c56287ea1212b8be2ba8a6f8a2cd8c5e25e0a3

SHA256
7899de899f4d8942675e8ef4c4300a692762baca995af0d4bfcd1a567b1c196e

SHA512
326c7d45d9f3b82ffa6167f7007a67710c095c620bef0c6f61065d9ea9a81ea21ff7c652f1ab26461f38b2267e23c52350dd1bfefbb502ed3ca3ec1d78bf2808

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
233KB

MD5
e62f991ac2c26680d59dc6ae389a8a54

SHA1
baea65f5ca68cc053136e861e93bc1955bee16ce

SHA256
4ce2fac9d65f17b89dcebabcd75fd28dc5d3b9ea016f197a5a43764fd4035f54

SHA512
c3db770f4346f34b78dccc8f02e564186f898dd57ef582ad90764a443a0ec48c87ca52fe04979515874c37daaa03de5c1aab6b519e9b5e6c7662c67088ab59cb

Download Submit
C:\Windows\SysWOW64\Pijcpmhc.exe

Filesize
233KB

MD5
1f5931e7fbc4456c8ab011a48e450d54

SHA1
28858b21c303e19ffb0692018e7d8f8331039cfa

SHA256
a4a676696fa055cc83e7bb714cf019558b6717887f5c6e814500f107831da972

SHA512
664974f914bcc7ec877c7eeacf0626217ab4ee67ee16e5568212a2beea401600e42dae5962ff42c7f8f243fa0355fbff48d77a3b2e50ca7cdc51a940486075b9

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
233KB

MD5
b8e4f881380b86ef360b59254ca4eceb

SHA1
7a13925ac3f41f0e1b0f77241e8c84ab0fdc8333

SHA256
81c8955aae51697790cb53da8eec27359da7e5f04f79433fca8b8870bd6886e0

SHA512
817aef842a9a962e822c6742c78f797436ff14560f3976cbda33e8f59dc6c904ce1e4e2f2d9889b55101d6426167fdb72bea37115f29b9ede96cb69c6ed17623

Download Submit
memory/532-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/720-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3428-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3776-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4152-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4256-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5168-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5212-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5224-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5264-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5304-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5312-569-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5344-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5384-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5416-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5424-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5464-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5504-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5516-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5544-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5584-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5596-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5624-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5664-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5672-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5704-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5744-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5784-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5824-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5864-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5896-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5944-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5984-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6024-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6064-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6120-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads