3a153d9775478b5ac2267db20ee9a7d33f8f67f365cae469dc26b091ec6eb473

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21c39d9124a84a15292bd1927c911fe0N.exe
Size

94KB
MD5

21c39d9124a84a15292bd1927c911fe0
SHA1

e9fc0831c940d5638fc8b437568f87e9ce4fbea4
SHA256

3a153d9775478b5ac2267db20ee9a7d33f8f67f365cae469dc26b091ec6eb473
SHA512

ab5e89922104f7bda141e4216bbee3bac6972daab3d4ec98d36fd20eb5a15f09268066e8dabac06a85b69992157772a03c7f4bdb1581594622a39762a119adbe
SSDEEP

1536:FYIEh4Wv/W1y0IlbcPa+z4kkWeFppoqaqqVqTK2oXA9hiF87BR9L4DT2EnINs:6IE6AWEZbua+DkWttOiF86+ob

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khabke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcqjal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noaeqjpe.exe

Executes dropped EXE 64 IoCs

pid	Process
2680	Ddfbgelh.exe
4752	Dgdncplk.exe
3836	Dnngpj32.exe
4148	Dpmcmf32.exe
4648	Dckoia32.exe
4888	Dkbgjo32.exe
3220	Dgihop32.exe
4192	Daollh32.exe
2784	Dcphdqmj.exe
1732	Ejjaqk32.exe
852	Edoencdm.exe
1028	Egnajocq.exe
1784	Enhifi32.exe
2028	Egpnooan.exe
1340	Eafbmgad.exe
3212	Ecgodpgb.exe
3036	Ekngemhd.exe
2696	Eqkondfl.exe
4932	Egegjn32.exe
2772	Eajlhg32.exe
208	Fclhpo32.exe
4764	Fnalmh32.exe
4528	Fqphic32.exe
4432	Fkemfl32.exe
724	Fqbeoc32.exe
1520	Fcpakn32.exe
2460	Fnffhgon.exe
1780	Fcbnpnme.exe
4032	Gkoplk32.exe
676	Gbhhieao.exe
316	Ggepalof.exe
1572	Gnohnffc.exe
5080	Gqnejaff.exe
2264	Gkcigjel.exe
5012	Gnaecedp.exe
1676	Gdknpp32.exe
4336	Ggjjlk32.exe
4144	Gjhfif32.exe
4936	Gndbie32.exe
1932	Gcqjal32.exe
4860	Gkhbbi32.exe
4400	Gbbkocid.exe
4356	Hccggl32.exe
3352	Hkjohi32.exe
4576	Hbdgec32.exe
3124	Hebcao32.exe
2436	Hgapmj32.exe
436	Hnkhjdle.exe
2332	Heepfn32.exe
3244	Hgcmbj32.exe
4360	Hjaioe32.exe
3416	Hnmeodjc.exe
3120	Hcjmhk32.exe
2052	Hjdedepg.exe
4920	Hbknebqi.exe
4252	Hcljmj32.exe
2756	Hkcbnh32.exe
1724	Hnbnjc32.exe
3136	Iapjgo32.exe
2960	Igjbci32.exe
5048	Ibpgqa32.exe
4060	Icachjbb.exe
1816	Igmoih32.exe
4228	Ijkled32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjdedepg.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Hnbnjc32.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Daollh32.exe
File created	C:\Windows\SysWOW64\Edngom32.dll	Hkjohi32.exe
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gcqjal32.exe	Gndbie32.exe
File created	C:\Windows\SysWOW64\Hjjcnl32.dll	Hbdgec32.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Hjnmfk32.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Oenflo32.dll	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Dbnefjjd.dll	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Ochamg32.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Balodg32.dll	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Dbebgj32.dll	Beaecjab.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gbbkocid.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Gjhfif32.exe	Ggjjlk32.exe
File created	C:\Windows\SysWOW64\Hfamlaff.dll	Ibdplaho.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Hjaioe32.exe	Hgcmbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Mjfkgg32.dll	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Gedkhf32.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Lhgdmb32.exe	Lehhqg32.exe
File opened for modification	C:\Windows\SysWOW64\Noaeqjpe.exe	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Meghme32.dll	Mafofggd.exe
File created	C:\Windows\SysWOW64\Pfncia32.exe	Pijcpmhc.exe
File created	C:\Windows\SysWOW64\Cbhkkpon.dll	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Ibpgqa32.exe	Igjbci32.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Mafofggd.exe	Mccokj32.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Nfiagd32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Ohncdobq.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File opened for modification	C:\Windows\SysWOW64\Gnaecedp.exe	Gkcigjel.exe
File opened for modification	C:\Windows\SysWOW64\Igjbci32.exe	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Fbbnhl32.dll	Ijkled32.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Mhnjna32.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Bejobk32.exe	Bblcfo32.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Ahkdgl32.dll	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Hbdgec32.exe	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Ompbfo32.dll	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lolcnman.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8056	7980	WerFault.exe	314

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjhfif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hebcao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkoplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaioe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21c39d9124a84a15292bd1927c911fe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnleb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkhjdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggjjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcqjal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll"	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acbmjcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	21c39d9124a84a15292bd1927c911fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopaaj32.dll"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjepamq.dll"	Moalil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcabej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjhfif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjhif32.dll"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedlic32.dll"	Hnkhjdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkjohi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acbmjcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpabila.dll"	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll"	Mekdffee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2680	1424	21c39d9124a84a15292bd1927c911fe0N.exe	88
PID 1424 wrote to memory of 2680	1424	21c39d9124a84a15292bd1927c911fe0N.exe	88
PID 1424 wrote to memory of 2680	1424	21c39d9124a84a15292bd1927c911fe0N.exe	88
PID 2680 wrote to memory of 4752	2680	Ddfbgelh.exe	89
PID 2680 wrote to memory of 4752	2680	Ddfbgelh.exe	89
PID 2680 wrote to memory of 4752	2680	Ddfbgelh.exe	89
PID 4752 wrote to memory of 3836	4752	Dgdncplk.exe	90
PID 4752 wrote to memory of 3836	4752	Dgdncplk.exe	90
PID 4752 wrote to memory of 3836	4752	Dgdncplk.exe	90
PID 3836 wrote to memory of 4148	3836	Dnngpj32.exe	91
PID 3836 wrote to memory of 4148	3836	Dnngpj32.exe	91
PID 3836 wrote to memory of 4148	3836	Dnngpj32.exe	91
PID 4148 wrote to memory of 4648	4148	Dpmcmf32.exe	92
PID 4148 wrote to memory of 4648	4148	Dpmcmf32.exe	92
PID 4148 wrote to memory of 4648	4148	Dpmcmf32.exe	92
PID 4648 wrote to memory of 4888	4648	Dckoia32.exe	94
PID 4648 wrote to memory of 4888	4648	Dckoia32.exe	94
PID 4648 wrote to memory of 4888	4648	Dckoia32.exe	94
PID 4888 wrote to memory of 3220	4888	Dkbgjo32.exe	95
PID 4888 wrote to memory of 3220	4888	Dkbgjo32.exe	95
PID 4888 wrote to memory of 3220	4888	Dkbgjo32.exe	95
PID 3220 wrote to memory of 4192	3220	Dgihop32.exe	96
PID 3220 wrote to memory of 4192	3220	Dgihop32.exe	96
PID 3220 wrote to memory of 4192	3220	Dgihop32.exe	96
PID 4192 wrote to memory of 2784	4192	Daollh32.exe	98
PID 4192 wrote to memory of 2784	4192	Daollh32.exe	98
PID 4192 wrote to memory of 2784	4192	Daollh32.exe	98
PID 2784 wrote to memory of 1732	2784	Dcphdqmj.exe	99
PID 2784 wrote to memory of 1732	2784	Dcphdqmj.exe	99
PID 2784 wrote to memory of 1732	2784	Dcphdqmj.exe	99
PID 1732 wrote to memory of 852	1732	Ejjaqk32.exe	100
PID 1732 wrote to memory of 852	1732	Ejjaqk32.exe	100
PID 1732 wrote to memory of 852	1732	Ejjaqk32.exe	100
PID 852 wrote to memory of 1028	852	Edoencdm.exe	101
PID 852 wrote to memory of 1028	852	Edoencdm.exe	101
PID 852 wrote to memory of 1028	852	Edoencdm.exe	101
PID 1028 wrote to memory of 1784	1028	Egnajocq.exe	102
PID 1028 wrote to memory of 1784	1028	Egnajocq.exe	102
PID 1028 wrote to memory of 1784	1028	Egnajocq.exe	102
PID 1784 wrote to memory of 2028	1784	Enhifi32.exe	103
PID 1784 wrote to memory of 2028	1784	Enhifi32.exe	103
PID 1784 wrote to memory of 2028	1784	Enhifi32.exe	103
PID 2028 wrote to memory of 1340	2028	Egpnooan.exe	104
PID 2028 wrote to memory of 1340	2028	Egpnooan.exe	104
PID 2028 wrote to memory of 1340	2028	Egpnooan.exe	104
PID 1340 wrote to memory of 3212	1340	Eafbmgad.exe	106
PID 1340 wrote to memory of 3212	1340	Eafbmgad.exe	106
PID 1340 wrote to memory of 3212	1340	Eafbmgad.exe	106
PID 3212 wrote to memory of 3036	3212	Ecgodpgb.exe	107
PID 3212 wrote to memory of 3036	3212	Ecgodpgb.exe	107
PID 3212 wrote to memory of 3036	3212	Ecgodpgb.exe	107
PID 3036 wrote to memory of 2696	3036	Ekngemhd.exe	108
PID 3036 wrote to memory of 2696	3036	Ekngemhd.exe	108
PID 3036 wrote to memory of 2696	3036	Ekngemhd.exe	108
PID 2696 wrote to memory of 4932	2696	Eqkondfl.exe	109
PID 2696 wrote to memory of 4932	2696	Eqkondfl.exe	109
PID 2696 wrote to memory of 4932	2696	Eqkondfl.exe	109
PID 4932 wrote to memory of 2772	4932	Egegjn32.exe	110
PID 4932 wrote to memory of 2772	4932	Egegjn32.exe	110
PID 4932 wrote to memory of 2772	4932	Egegjn32.exe	110
PID 2772 wrote to memory of 208	2772	Eajlhg32.exe	111
PID 2772 wrote to memory of 208	2772	Eajlhg32.exe	111
PID 2772 wrote to memory of 208	2772	Eajlhg32.exe	111
PID 208 wrote to memory of 4764	208	Fclhpo32.exe	112

C:\Users\Admin\AppData\Local\Temp\21c39d9124a84a15292bd1927c911fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\21c39d9124a84a15292bd1927c911fe0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\Ddfbgelh.exe
  C:\Windows\system32\Ddfbgelh.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Dgdncplk.exe
    C:\Windows\system32\Dgdncplk.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\Dnngpj32.exe
      C:\Windows\system32\Dnngpj32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        24⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        26⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        28⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        31⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        32⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        34⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        36⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        53⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        59⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        62⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        66⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        67⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        68⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        70⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        71⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        72⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        73⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        74⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        76⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        77⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        78⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        79⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        80⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        84⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        85⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        89⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        90⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        92⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        96⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        97⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        98⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        102⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        103⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        106⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        107⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        111⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        113⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        114⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        115⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        117⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        119⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        121⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        122⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        128⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        130⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        133⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        140⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6864
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        142⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        145⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        147⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        149⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        151⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        154⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        155⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        157⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        158⤵
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        163⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        168⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        170⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        171⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        172⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        174⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        178⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        179⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        182⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        183⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7212
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        185⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        188⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        189⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7476
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        191⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        192⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        193⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        194⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        195⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7780
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        197⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7868
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7956
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        202⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8092
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:8136
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        205⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        206⤵
        Drops file in System32 directory
        
        PID:7200
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        207⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:7328
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        209⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        210⤵
        Modifies registry class
        
        PID:7464
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7552
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        213⤵
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        214⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        215⤵
        Drops file in System32 directory
        
        PID:7812
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        217⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7944
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        218⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 212
        219⤵
        Program crash
        
        PID:8056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7980 -ip 7980
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acbmjcgd.exe

Filesize
94KB

MD5
1f86409798ce1c7788357b7ea94394d9

SHA1
94453a9536da8577d08e3c4ec19cd15046e23c1b

SHA256
ccd1a4d31df856437259cd98c88754e8ef180181521a06a75e87462915a8fcc2

SHA512
66d64abdf431bd36cbdf9ccb8c17fc32789e1835203cc60c9ea61c363864de124fb986e91541cc06cff9a97eed369b5bfe9036141e8d294e37589891d15e7b03

Download Submit
C:\Windows\SysWOW64\Acppddig.exe

Filesize
94KB

MD5
cd9c50831801a3c7d5bdad0958fc8b67

SHA1
31006cbe6213fcff02b556bfcda7322187dad8d2

SHA256
3215a515fea9ee53c55d3133a3db978eeaa18469376a0471c5a4a091abcf7e11

SHA512
1363a80774dc5dc1dff20b79482e7d2cb69e3030f95466e982026a2b9498eb9d453c24511242031ea460875ac08f8f696fd465ce0f20564b9f13ecc6c94f6ef4

Download Submit
C:\Windows\SysWOW64\Alpnde32.exe

Filesize
94KB

MD5
67c71d035807d7acdbb696d1e07fa306

SHA1
eef968e00d3c331898805cad8b9ed76a59b5eea8

SHA256
85e4fdefd0a724248d4542f6aaa41b44b92cd44ca367298586f4648a5fd33667

SHA512
f3c438eadf9ca3783ea6dacac2095bdd400a9ba8302a97975bed54d76f6632db98cba67aa9fe7e566a656029b61a5118395f3a56aa7d812afb551af2f654816c

Download Submit
C:\Windows\SysWOW64\Bfjllnnm.exe

Filesize
94KB

MD5
45e1ecd40c82ab33d8635f7b996c3af0

SHA1
14be8bc1af004e8c91d48f3cdf47b250978350b6

SHA256
9971310be509d2b1d735feddb721bc1ddfb11903fbf52d5d9265e19d91695f2a

SHA512
beb7fc92fc6e11b34615556e5a2d1d6abcab003e167566a20f0b9ea747be3d42ee62bd9f09f617d3636ec7c5fc03febc90a10edbe8d3a0e08f12469a32e7ed36

Download Submit
C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
94KB

MD5
0b32f7890da723e16fa2b6396561b19e

SHA1
3ff9c8e96e48178a62a6eacf16b78d1d71be136e

SHA256
177b32838357e16e8ed93963ad9a8f1ac2acbc76be5196420b0bdf967529f87c

SHA512
76f4079bdb93e95bcb832254ba3c3f356c12bb9cf9e58fa2b5de3075bfa4cbaa440e7e8b074b86155b129a2a75500778acfbadbba833289ca953efd8ee27aa9a

Download Submit
C:\Windows\SysWOW64\Ciknefmk.exe

Filesize
94KB

MD5
b97ef5e5765b808b8b88301b4dc7e9fe

SHA1
fa21b59de5b71465629934015c2793ef19bbe01e

SHA256
6e7479c05bfe93abd7c9ca753ba1794d82238e320d6e5f380e18265791f72ef4

SHA512
40e50d285458d64a6741f77d9a6bba0a0ddc064faaa2cd9e79a2b20bb5c7e03ea1612a1b513a76a9e2ab67dc5082751080e5d61407b52908efc937b2b7034adc

Download Submit
C:\Windows\SysWOW64\Cmmgof32.exe

Filesize
94KB

MD5
bc4a9bec3a86c134996c3d4239a2a900

SHA1
f853f72559bc9f39d73761c8429df9b2c054d2f7

SHA256
fcc23fec9bd74e881d56bfb4965f4b1f732d6be4ce7dcac841a80285cca9faa7

SHA512
bc9b0c551683c92ed7a7db2776b066662b2e7d55d4d65ada253d89d1aea035f9f8d97058eb144cfc8702859a471975df01f7ea6cdc8640dba42ccfd5d513b770

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
94KB

MD5
a1cc091fbcf56f4f778a68a3aff96799

SHA1
23db5e2d2e04b58378e811502acf871b3d7960f0

SHA256
237291d8fd33ea2bb5fe4cbd1209277d3f3652259959c093588c9b3480afee9a

SHA512
53e23f20bc8bfd6e307438de6e6ead7b1301f8da4d3a12c13a0207d8b4b8961138277bacf057537256f271eaa5de8064c07bb1df367d612419f2c7a3512f0e3a

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
94KB

MD5
a71c58fb765956625a6640ca08eac35c

SHA1
97b68650637b819a84df86f6ac5649519d6b5097

SHA256
48a7dd354179438049c8daf89629c8a007acf66da3e42e06f858faa7f0efff88

SHA512
30f7b27f0cd4a336935b6749c8646d74d4ffc82e34877e7340c7def32a3b87039b51153a9e6f0899544f02e0800209846c029df2c89fb2a4107f7b8043d89709

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
94KB

MD5
abe8c47b238daee8ce832656c5fa8321

SHA1
425510ebaf261ce6d93a2aae83f47b12641da9ce

SHA256
91c5e5b8a937a2350950238cd1f5d98b171bc2889a3dbbbbb2b8283b38df2172

SHA512
6468f40f6232e7adab3a6ff467227ab061d0d648ede8cb82c617650a6fda51c8838e4c28fb92730dbf49445b3f3f4d895953db7947822199d87ffd9b769ca04e

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
94KB

MD5
430b803365e11008b6a42ffbe3fd105c

SHA1
d416c01714159a3384cf7e92e8b5ff232a31020a

SHA256
44f7d0700f0bf809af072945550b1dd679cc3b76a2c27c7126622bed50bdda8f

SHA512
cc160175273c62e9447c0eceedafd7d1c95696bdea35225d0ad0f659be3001e4d30dd5c1cd1e94b9d299c014dc420a8ebf92b5217f29a6eaeee313ba44acad7a

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
94KB

MD5
e323a2d34c616d698ae1e39a4b68cc91

SHA1
0f723d840b0f14641d89a0dc1da081aa8d3b3952

SHA256
e19fdb3b67a5b318a22d291084a44ecb0e5f0cb412ba03f47b15faadaab580e7

SHA512
ecad97d189c78aa2ae33d6cc5382aef19db7d013cbaaa1262eee7801cadefd99ea87e66df964e60139da0c5ae7ad7d552e0596f2b4583860e78bd32e8a50cdec

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
94KB

MD5
d9180e14d9ed9d3b40b43cdafef18d22

SHA1
f17e60f072d64a90882183432ff45024d7f1c368

SHA256
eda48a1e4a715d90d1dd17b78964090fbbed3e45ad2e5a557170881d71db42b0

SHA512
73ae2185a7b2fd4b1d6ea4cb5b470e469657c14a7829a88178c7cdff966b8972ceb675b2253b7be24421be4a9ebac19ffd974d1d680804f25bb01f44efe0e3b7

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
94KB

MD5
88a4628b645bece70cf6f614c9ea1e21

SHA1
1a4871ecc3e34091625dedcb10d9d7c2765e8e07

SHA256
ae27835df389a73574cf7f45b0b83f59955d81b3492878fd72c331195fff16af

SHA512
3a9dd9b94408564425581526d685892523b6779508febdc8b6abffbc6f54cb37e187ac03fa672c1c094a978dce765de7675b0db376acd7264c096602b99b2d7e

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
94KB

MD5
7463ee902fb122dffb86d6938a1e914c

SHA1
04d03150ebcfdb86fb194bcba56013a3504c85a7

SHA256
abc2682b71e827686b0954eea857add40954af45e6ea6cee128c5dd324c72966

SHA512
658bcc4c20823c928bced83caac8cac7fd64c7150ba11d36601cd6ab69f95fbaa23d142beb9634d31e320d6792178c0f8a340b867d8eaa1b905ba65d3f9bc4ca

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
94KB

MD5
9d02f4e896de255a3bca35fce3a9989a

SHA1
ed25160aef538eb8c541e2f73cc0487a066ea031

SHA256
7d013d380cbb1707282fd869c43d45b15e40f3c7099e1094c920a5f8048d7bdf

SHA512
0db58a81c6d61e334fa8d53c334972e6babc103a9160f8ad1ebbb4de4a8f7408c6cacc9b39f10af82adefc04b5839440f94b6605cba0d8aad2e3eca20bddd15b

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
94KB

MD5
8c886b1b6d1367cbacd367d703878075

SHA1
4c2bdb9585a27a2cabf5acd9975f21e65f922030

SHA256
b8607b29783bf5592636f0ec192ca3e3b4e81a1af7de5c7845c17a55ce33e35c

SHA512
1d2f29e5e296ade736cb0d7d54fcef1000e3472f75774fadff0fd6f5bfe8bd08bc81eef7d7c49563f63baa8198ceebdbe835ed93e92290b7f79b44de7fed6427

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
94KB

MD5
876327a4dd95a8f92a09bfe5aae6bb7b

SHA1
4452eaa053ae5901434419e1c32547b775090873

SHA256
90908ee9a5d133c4e74a876379ac43e478f9f0e799a2dbd8f8f33932ae07c43e

SHA512
3dd9a04a35c60e058e09d8fe4a55350b99719e43f0f6dc975d00d89430e1204a59276ae171d9c9ddbbfabcc3c2fd4f8fcc60869016b769a7b65f172bad99e444

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
94KB

MD5
ddb2577fe1301ae8855704071e6a4bcf

SHA1
dcd030eca4b7568c183173c5cf11c64d845ae837

SHA256
c537105e33e90cd149c936042bebd472cc078fa3694f0f417f0d08a9796b7073

SHA512
5e6b84d48fbf698b9cdf9decd0d675e573ad212d288f2290b23e90083ddd4aa2c417298bb62acf71ba1afa70a438fa1373b7e7ad1222ef14a82e42666fc2cfa1

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
94KB

MD5
d7af8a2df570893c1310dc1346f9b9d9

SHA1
6ba25e14e33eb988a27c75b39314a9d03a2d4497

SHA256
79acf9cd01dd181ef504a25f3440bd19089967d2d2c9fa195c00156f41eb4d9c

SHA512
7ebc516a75c2811b9c87c9e60021882c5cec4859d50d910f0c60773c79902ca480362fbd7e882b207358e33d9d5eada1fb6f7591ce106a026a56c9366db7a3ad

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
94KB

MD5
507d75e1be7a5e2f3115fce905c5c7b9

SHA1
730523d3decb78a92e0e4437bf8a9bb351c82de9

SHA256
6e14d7392fe3ff36608edfadf066b0c086e47858488b901bce199a52b1ab5580

SHA512
3b87f500bf9e0136d3b5846fe2e5560786fbba6f9f27a9f768d76ccd0b4f4eacf7a23c63bf98638aa4055538b25e435b6981f913b198fa29c88a8e70d8fb80e9

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
94KB

MD5
9df8e198e790c06220a0adc98f999bcf

SHA1
f728efdae24ae3afec6587a1d5bd3e554233398c

SHA256
521031c36764cc0191b4ce494a7054f2a4ad50e63cc5d48a3cb09bfab893629b

SHA512
7133fe7c4692a7a68ec93d541b90bde9aabb4758884839f31583e7bec2489f17202659c9c163aa88dcdbfa11c8b1d1482016e26254728612f3ad72bc5419ba48

Download Submit
C:\Windows\SysWOW64\Efehkimj.dll

Filesize
7KB

MD5
1a7e165836ee9b6a592e7e651fde84f3

SHA1
495689687d0cfa21a8d623fd45655b815be60c12

SHA256
e08faec1b128f0cdcf0b267b089460b21654230c967efcc2fcac67251bb72285

SHA512
dc720b45abd8286a85c583f3b4968b55a24b301f5f3b6c50c09d3d16d21d5bf8b090019ab360232dad31637aba82ce34cb52e318d52161f838e90ec654d9c8c9

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
94KB

MD5
6155f3a2600131ef0d16a956267b75ce

SHA1
e453cc45cf4b36f31daa5a853ab97dbda282ad63

SHA256
9125eae42966ae8701ab0c75ed4d3452bfe5bb1a74d81378fe039193fa0eb3d5

SHA512
8ca5b19458359f7e914e0446504d3a1d687278dff9b4ed646e16e072f2dfd16dda67695396e62fdd943882834ef29d43b3a3e94ceaeb29bc12f82cf8667d16df

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
94KB

MD5
ef097641956884e2576e82c87ad8dff2

SHA1
85c7d10e99913b284b70b10047f3e8d44a9e0ca8

SHA256
23f25529633b1e371fa80ee71acb9d76cd28f4ebd91395c49741c86de9864125

SHA512
33e4ef8d8cab2c3c13798f4b149c742b5aea2ecaf8dfb0fb78cb06f0f7305e8159a4cbdecab5838556cba026e111b111ada356bc3d00b55df839ce4c44d3f27c

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
94KB

MD5
4efb52a2f70b12a9c8b7d07d8815673f

SHA1
afe870a7dcf9d06ca9b0d3dfe8a6cef0ab31eaf6

SHA256
3671bf2387ba2dab77c4d27eb487b19b305f78037d445c232c1abf6bad1117aa

SHA512
31108701c9000a3f5c18e2444efe973a9449deefbc2a60c5089f0e43a467e1f6f4d7fe03fc9ad1b3dd571d0b2148a0a099e701c6fbcb8d4d3ebc7a628e3ea0aa

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
94KB

MD5
dce2441517e6d9e8e875eac23e474b73

SHA1
39ab66b263a8fe8d3fa2aeb2db264352fab0fa9d

SHA256
4bdca9986f560e1f289365ee71021199426ff61547595448ffa71b78a205fcfd

SHA512
aaf7c835e9d604647d2872726eead509f158db56f472228bb9f9c53f6d50882a70b80564d0d386b834dcffffd62536b4b10cd91f1543ca2791ee9ced27d7bfbc

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
94KB

MD5
58463c3a263bbf660008f5c66fbc04e2

SHA1
2378af4f4db62ae84dcca5363144fd1fd6f4b948

SHA256
88ed0749910e28a435ad322897f13281d2a5facea9723cf676d7da3efd952044

SHA512
a941ea5ef8ca5a7c91c863f4ca431a0957b115d6ff3620563334236e939feb8f241fc8d939720aba36c26bde0322150b8454bc24985b5ad775e075b4a7b12db5

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
94KB

MD5
f6b52b5362a011924330392ca3a0d88c

SHA1
b07956ef65f668a53ca510c00d1d6b6efc0e038f

SHA256
e972738f5cfdbf6a77f7d5b1dc1c95bfba583f47468fcab82771cd4eb81fc3af

SHA512
efb050195f84f2d6c7d69aff9737bb7dc6b38ce7d5fa2894ea8448e5c847affd563de9f6d3e4577be9530bd1c6a3f0247b9b1b75fe8dfa38d21d58b82af60736

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
94KB

MD5
7529097b4149904a650ca6a39e71fdbf

SHA1
4dc47ef53f3dadad600dbca068c7ee388c5ada9b

SHA256
609399ec395b2dce4aca97262205b07c17a2d086f070a0edf22e5510672118d2

SHA512
d70f98b1750cb93470a082864cd87b34aa67d300ff3369d8d4e11f5e017123179c6d3cd0fdb430b72887578aa838be622a24a097f12400a3de4faf911a12e255

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
94KB

MD5
8607596524ef78aa5050fde6e6771fc7

SHA1
27f778ae43cefb8323146209fc530964412a5c34

SHA256
7dbf0ea42fcb9882a91cb2e0aac708a6b1537fde7b3fafaef79a39e1dd4c221a

SHA512
ecb7dc3703664f64817ebbf25bc93d564a43d56c82de04c8c4c60bd4050250b983bf22b44f0a8dc74f77ab5e84fc4c48a66f5e4aca04212800c2b7a72d416c20

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
94KB

MD5
509948d430117a71832d5adb36d70d01

SHA1
4ac5aa43d13b599548e031bb3f7fd7aff5e94125

SHA256
a8ed2df181d11b7a15410b4accd4d9f47230cd62811b8ff2cffb0e0768d1c10d

SHA512
37766951c29e7a739e8d7942073b57f372bbf7f7966496fbfa79a7029330e934381bac27e847a44e520415c169764328495d7ba8dd5ac8443294f775ed171392

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
94KB

MD5
f6a930ad71e54dccc58e3a2b9f5ae87c

SHA1
6da204bf711809bc7ca35ee5efaac42b4a996824

SHA256
baf06095bbb3bf1e75084d92e594de7cd2bb674d39bebcad2c8311301fcf4375

SHA512
e68ff10d22af63930fb8898d0289b7a9244969aa5272d593cab4146903aaa55fc1e78f1c6381dbc7a649e0ee9e8507ad8d295cfacb04f2d29924dc039718691b

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
94KB

MD5
f0555e21d60e071781cc5a5fc46f0f2b

SHA1
b94b65e93f2f9407ef4cd662d964800c352929c8

SHA256
78b68be126b0a8958f09a851d1c38a32625c2f863c587db0d8ce59365fb76227

SHA512
9cc0ce50fd178a7bcba86ba041a9c22188a0d22fb0521e70c9cc8d21a93a34ba86a3c6bb5ebafa133499bb11a4442ace1c670dbc1b93c7107c5fba1a91f6e785

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
94KB

MD5
ccaf902342efe2f6c76248c8cba8873c

SHA1
60306da36d89402e9c47a152346afc0218e30216

SHA256
7f7172ac8db8c308bc039b5c0c24c85bcc9c8e57bd5dacc72414ca83e2e2203a

SHA512
bf1034fa4dfb0d5f240beb0011df214adff66592468960595aa944c8f269bf7ef9ae6ce4a2aa966b8ee5c0dcf4b7f419b252d1279104468da5dd70ae7f55ec0e

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
94KB

MD5
72c1eed98f32e6fd24613c89598df08a

SHA1
77066e4498c2c2ddf112633e9415b83926cafa00

SHA256
c9db5035d6a6421e1a38fd202922a877e1f34b96f3de8a98b6404d9100862202

SHA512
0bf091634dde1e6059a4767f33ce12cf733d2e14a0f175f5c1ec358cf336f2ef6dab540bb48cd63eb5378acae37372524547ffe4c61d8e5e9e26d98bfb7895e7

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
94KB

MD5
679d9de427518d2b9e1f38853aafa315

SHA1
7bec5af28f5ffc631ca3150ab538ccfb2886020d

SHA256
cb4b07eb174bd6547620b9baf36fb16917086fc7951a15ff1e0d8c15abe40dcb

SHA512
28a65147113e71d89dea4c5cfb24c61fd0c86a1cf629078536da641f341e7253ddb921d0232538489cd2d40ca343fa92398f6ab2c2b68e738e3eb4c92a7f0f1a

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
94KB

MD5
c5fabb795c7b07d452231e3cf041e947

SHA1
8ee5ff0658ad52af63e36f3d3a5e4d96be1e0214

SHA256
2d1c8374547b292b66253531c377d2dfd6b28f8c43cc1027dc9a39c8782df646

SHA512
6bf3638496ed16b952a81fc26c7c98f1c92c4f88cf10bc7fc0dd30c9672e947ae9598cc0ccf4f4baf4c325c8972cc4ac42a75bb7cbaf2a7609eecc0310df7d55

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
94KB

MD5
74bcaba3a3b0b9dcca1be40910fa06a1

SHA1
146ed0d982b1929de0f233dedf8de236cb683b42

SHA256
bcb4a420e44f890d5c1e531946d991bd3c375a0a57c8d75b9a2a8c47c1d65403

SHA512
cebc7b39dd6893b559ff9a72e7e3b441e30da090c7f8ea8ff533c48c76761319857278e8016e23cd8dc834ab82e1af72609e7a7cc1a987ba78f9bf496ce9fb06

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
94KB

MD5
2375d6972f44307497979cdedf87a8f8

SHA1
8c49515bdd531e7586787535cf217070e77bf65a

SHA256
1cfb0bcd1451aa3a2c6063f4a422fb9a0f4c3cb4bfef3726c47d19b017f253a8

SHA512
4c73b69a228983c12b88bb5f7424d01fb588f085a7c4f82e9feedd885051e645710f74a26cad128aee2443f75dd38662852cf763fbef2965a6b5c821d808ee5f

Download Submit
C:\Windows\SysWOW64\Gkoplk32.exe

Filesize
94KB

MD5
2f95ac098e793cae52b6ef24dec9ca5e

SHA1
18f370b60eb75778358bc503e5df2b997dad8113

SHA256
2872e0a511a84efa28b1bb7246c53dfda92ff8fd4be436c931c0439a7dcde7cf

SHA512
dfd20494452b62574ed9779922502b0eb396d03ffbcfabbe47336badaa9a1c404cc35fc1a758d7219df30a2555ab7e9e5f5eca0c6938fbfee11075c3f9d15b2b

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
94KB

MD5
a0ff1e2f796b95bc172aba7e644ba790

SHA1
5f737d7a592057303fe5e38ca3bd04aab258d58d

SHA256
a9d2f0b747a61a82fc86fffc19c3ab43a55f8148f690409c1735c9c6c996bcf4

SHA512
e652d64a381b659079c46c146f366a5b6c0f31d57777e8aa7915d925537ab2673c4af60c668e5275ce7e029c117d453e46944ad32ae4b3f355031f82b0a3bfa0

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
94KB

MD5
7b6b2e0e645fc614751b6f85a9f50a1f

SHA1
ab7520e65195e33955af254000a9efdf21555a80

SHA256
fd0de435c77a41f9fa4605b6e49ce7c325bfa74e8e575625cc561c1e4860024a

SHA512
ea698191b0998440248f9e2392ea781e7eaec1733f8bd15c1bc900aa4dde489531de0398925f7db6c27fa4af87a3abaffef7283e01a4d303bd2f936d304bffd5

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
94KB

MD5
9f1633af1535716715b5eab6a1390b4e

SHA1
8875292298a651af2c0846c3d0d02d8efe77ddba

SHA256
4ca86dc7b56f8313d4885bbe3c1d6eb6b8a5131d5c6b4de4ea1989fc33cfb481

SHA512
f487cdc6706ebb4a0679655af235b5a9db69a6fdba87ca641c0717e33c7f51afc2dfa9636b9d7b41674756fe8c33405c82d58056b43c30b98ac49e02abd2798f

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
94KB

MD5
11cdd556e6ecda0e5316f443ad796331

SHA1
14ba60ff98c69a335443f78551ee0434e5060a48

SHA256
37b76ca693bb5645e40d478a99d03d713f1e406b50d46063391b978af7941d33

SHA512
62f47f18c19084145bacfacda7f0c101186e4543c548623510106c82cf24bd95b19f458eace33123d8633cad9bed01dd0c948322815720a5accb40050da792ed

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
94KB

MD5
16a2798e8da4883eceead1eff87cb19e

SHA1
a1bdc3d319e558978031dbc241d6d036dffb2d52

SHA256
0e77d3c09688c1f3129cba8de1e6717ddf2f7d70670fd2d49e04706992c82226

SHA512
a01d96d3c4766dd32d483e2d0d03719f1de94938e3cd1c8a9cbc79ef22b092d957a049686113f6b2ad4ae5b2ccd78e24c58a55ec6f1e9544981593823bf3c2d8

Download Submit
C:\Windows\SysWOW64\Loopdmpk.exe

Filesize
94KB

MD5
c968cd84e2d575b7d3177439475912e9

SHA1
4d6a81a4f9308e48c1cd02207f4ca09abab37e61

SHA256
95cf98e7395121f053155ee0787b88f0eb2c9f2b3ff03589bcf6ac2f0dea0d91

SHA512
bd667e100deb96d7a31a5907ee041d636582cf89df820ce57fce333b19db51da56d7dd26c74cff762940efd6e65d5728ef276ad06c8eee7ab56b7dd044059e6d

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
94KB

MD5
204e6d0b3c2c3ae72e29ac83d60345f8

SHA1
6f73f891748a6efa70c220da921f8aeac5030f62

SHA256
84a32866bb6efedc25a365a62311fc6e9be1b13292d897c850b27604a01c94c3

SHA512
1e307dccf952554ad247b1000567321d524bf08612fd854312a570bafa041fb065eaf0fd1395ed969adb84045f352e64119b3eb9b631c3155e6919dcb82a1a2a

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
94KB

MD5
318cab1294c6a4541fde94153bf4919f

SHA1
355d32a71006737831e37d9b323b3e9ec5a53a44

SHA256
ba632f2f16525d0f786403af61c747923e7167b2734694aca37e7734828d5998

SHA512
93860c2f37abceb3053cce5d0b530adaab3aaca02f95c37dd99d9428bfb3ae1b964a067da1ee2b66b3738be20403f9b885f67de7a1082f7ba6363cf022fb323f

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
94KB

MD5
89c0ab4a555a8e401cf5079050e488bb

SHA1
c5a96ab946e78c813e7e23220f8c2ae54d0328d5

SHA256
682094f65b6b8f6b3b6d61f3132d15842301ddf5495f6a73d99898efbd08619d

SHA512
25111ac6d24956a84e9f73903c5d535be8eafd40fe58e885b0f4384b93a9f1d27574ade4122751c0fe8c086538a438f3907023761d2ee49f472f8e6897444016

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
94KB

MD5
a331af274362b4ae6db21f97b046fc5a

SHA1
aa3746017091404b7ab6cf3ec02f213192731cf9

SHA256
b8142d865f0b8d5fb42f5398a2dfc9e1d93eebf80ab4af738ec5b6f035fe65db

SHA512
6a92199a2a0a5723fdda4cbc8e214aaa7695210b73247785963fe68876b35617fbacd707720cb964570078205ed9793cfd2eae7dd0550cc015255e57e6383dde

Download Submit
memory/208-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/436-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3352-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4932-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5204-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5244-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5296-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5340-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5380-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5420-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5460-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5508-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5556-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5600-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5644-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5688-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5728-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5772-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5816-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads